Bug#907373: debsecan: regards -dbgsym packages as obsolete

Sun, 26 Aug 2018 21:39:53 -0700 

Package: debsecan
Version: 0.4.19
Severity: normal

In the daily report, debsecan seems to regard -dbgsym packages as
obsolete. These packages are not obsolete, they are just from a suite and repo 
that is different from the rest of the installed packages.

For example, before installing pngcrush-dbgsym:

CVE-2015-7700 Double-free vulnerability in the sPLT chunk structure...
  <https://security-tracker.debian.org/tracker/CVE-2015-7700>
  - pngcrush (remotely exploitable, high urgency)

After installing pngcrush-dbgsym:

CVE-2015-7700 Double-free vulnerability in the sPLT chunk structure...
  <https://security-tracker.debian.org/tracker/CVE-2015-7700>
  - pngcrush (remotely exploitable, high urgency)
  - pngcrush-dbgsym (remotely exploitable, high urgency, obsolete)

$ apt policy pngcrush-dbgsym
pngcrush-dbgsym:
  Installed: 1.7.85-1+b2
  Candidate: 1.7.85-1+b2
  Version table:
 *** 1.7.85-1+b2 900
        900 https://deb.debian.org/debian-debug testing-debug/main amd64 
Packages
        800 https://deb.debian.org/debian-debug unstable-debug/main amd64 
Packages
        100 /var/lib/dpkg/status
$ apt policy pngcrush
pngcrush:
  Installed: 1.7.85-1+b2
  Candidate: 1.7.85-1+b2
  Version table:
 *** 1.7.85-1+b2 900
        900 https://deb.debian.org/debian testing/main amd64 Packages
        800 https://deb.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), 
LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages debsecan depends on:
ii  ca-certificates        20170717
ii  debconf [debconf-2.0]  1.5.69
ii  python                 2.7.15-3
ii  python-apt             1.6.2

Versions of packages debsecan recommends:
ii  cron                                       3.0pl1-130
ii  exim4                                      4.91-6
ii  exim4-daemon-light [mail-transport-agent]  4.91-6

debsecan suggests no packages.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to