subject:"\[gentoo\-user\] Re\: I don't understand version numbers in Gentoo security advisories"

[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories

2016-03-04 Thread Grant Edwards

On 2016-03-04, Jonathan Callen  wrote:
> On 03/03/2016 04:00 PM, Grant Edwards wrote:
>
>> I'm sure I'm just being stupid, but I don't understand the lists of
>> affected and unaffected version numbers in Gentoo security 
>> advisories.
>> 
>> For example:
>> 
>> Package dev-libs/openssl on all architectures Affected 
>> versions< 1.0.2f
>> 
>> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= 
>> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= 
>> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11,
>> revision
>>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14,
>> revision >= 0.9.8z_p15
>> 
>> If it's true that versions >= 0.9.8z_p8 are unaffected, why is
>> there a need to list that versions >= 0.9.8z_p[9-15] are
>> unaffected?  Are <> relationships betwen version numbers within the
>> 0.9.8z_pNNN seriels not transitive?
>
> The "revision >=" operator in GLSAs indicates "any -r# revision of the
> version greater than or equal to the indicated revision", so this is
> saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0
> *is* affected.

Doh! After all these years, I just now realized that some of those
expressions are about "version" and some are about "revision"!  I'd
always been reading them as the same thing.

I knew it I had to missing something basic...

Thanks for the clue!

-- 
Grant Edwards   grant.b.edwardsYow! I would like to
  at   urinate in an OVULAR,
  gmail.comporcelain pool --

[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories

2016-03-03 Thread Jonathan Callen

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/03/2016 04:00 PM, Grant Edwards wrote:
> I'm sure I'm just being stupid, but I don't understand the lists of
> affected and unaffected version numbers in Gentoo security 
> advisories.
> 
> For example:
> 
> Package dev-libs/openssl on all architectures Affected 
> versions< 1.0.2f
> 
> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= 
> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= 
> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11,
> revision
>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14,
> revision >= 0.9.8z_p15
> 
> If it's true that versions >= 0.9.8z_p8 are unaffected, why is 
> there a need to list that versions >= 0.9.8z_p[9-15] are 
> unaffected?  Are <> relationships betwen version numbers within the
> 0.9.8z_pNNN seriels not transitive?
> 

The "revision >=" operator in GLSAs indicates "any -r# revision of the
version greater than or equal to the indicated revision", so this is
saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0
*is* affected.

Jonathan
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJW2NLFAAoJEEIQbvYRB3mg0bcQAJ1q+HjadMnxf+c/8JwF0w/U
qQOi7GqaJr2k4zq3I50MxltlsPxyT+wlmq08bEk0nBZ59r/lRhTqsqZtYJVLHyXH
EvwXIq5K7MHvdgNoAmW6LXPxoVc3vQssMKWq5ypY6ZOqteGl7gSsv+M445L9vyMp
7dq63FyxRWWTWY0Wp3og0Do7HBaJTpNjVxjCeXGwOTx4LGYY+ef1Gec+AJbCiIfE
FbQhcagVGPQqolH8vc9Fj/Erw9JwX6kw8KewGv6fJC/7O2cI2urcp6Lc1PBfDEfW
to46VJ0qXw3ZO432QLH63iAKmi2BDJbhRUnvv9h14O4Ac+dJEsvMVwElrDA3kZt9
yo9sEFzNMTXELi5chFB4XgDJ47h4/bvP08SQ/OukFwaoH1oSSrWGhLpAmb9VfJOE
VvzIhXtL/Fm/6nuAKYfZOvV4ad/XhPqRYud6VkpklcPBZEj5ABR8af16oOYqJiZX
9fn6FtGzH9vOF89Q13BDobhU4dCgxGwzPrSxVFVvGFmTivaysb/MOzGon/W+5r8K
DxdlDhuix/lSWaJv7BZSrBfnxj2D51COP1sj4tCwSAZMucv0QbqQtM+XC8ShtAVF
mwNuhGS2NEusEqF7Y40AQKuEfugkSpTukHXqWE7dbBp5C7b8mYTey5Ctuq9GKG3+
51fTQlzO8R6KfzJObyaQ
=1iq3
-END PGP SIGNATURE-

[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories

[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories

2 matches

Site Navigation

Mail list logo

Footer information