On Tue, Sep 01, 2020 at 04:51:43AM +0000, Teppei Fukuda wrote: > Hi Debian Security Team, > > Thank you for providing the great tracker system. I have a question. When it > comes to CVE-2017-10965, the following page says 1.0.2-1+deb9u2 is the fixed > version on stretch. > https://security-tracker.debian.org/tracker/CVE-2017-10965 > > Change log also says so. > https://launchpad.net/debian/+source/irssi/+changelog > > But OVAL says 1.0.2-1+deb9u3 as follows. > > $ curl https://www.debian.org/security/oval/oval-definitions-stretch.xml | > grep -A 50 CVE-2017-10965 > > <criterion comment="irssi DPKG is earlier than 1.0.2-1+deb9u3" > test_ref="oval:org.debian.oval:tst:13567"/> > Which is correct?
1.0.2-1+deb9u2 should be correct, so the OVAL data seems wrong here. Cheers, Moritz