Security tracker is correct for python-dns. Scott K
On May 14, 2021 6:22:12 AM UTC, Brian May <[email protected]> wrote: >Forwarding this request to [email protected] who deal with the >security infrastructure in Debian. > >Andrei Nikonov <[email protected]> writes: > >> Dear Mr. Kitterman and Python Modules Team, >> >> I am writing to you as you are mentioned as a maintainers of >*python-dns * >> package. >> >> I did some research about Debian vulnerability data and found an >issue. >> >> If I check CVE-2008-1447 >> <https://security-tracker.debian.org/tracker/CVE-2008-1447> with >Debian >> Security Tracker page, I will see that fixed version for python-dns >is >> *2.3.1-5* (the same version is on page of JSON-formatted security >data >> <https://security-tracker.debian.org/tracker/data/json>) >> >> But information of this CVE in the file of OVAL data for Buster >> <https://www.debian.org/security/oval/oval-definitions-buster.xml> is >> different. Definition of that CVE starts from line 74982 in that >file. >> Criterion below tells that >> *None DPKG is earlier than 2.43-1. * >> >> My questions are: >> 1. Should I consider fixed version 2.43-1 for python-dns? >> 2. Why OVAL criterion references to "None" object? How should I >interpret >> this? >> 3. Should I rely on OVAL files? >> >> Hoping for an answer. >> -- >> Andrey Nikonov, >> Security engineer, >> "Frodex" Ltd. >> Ufa, Russia. >> _______________________________________________ >> Python-modules-team mailing list >> [email protected] >> >https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team _______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
