* Sheldon Hearn: > For example, on an Etch box: > > $ debsecan --only-fixed --format=detail --suite=etch > ... > CVE-2007-1262 (fixed) > Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter > ... > installed: squirrelmail 2:1.4.9a-3 > (built from squirrelmail 2:1.4.9a-3) > fixed in unstable: squirrelmail 2:1.4.10a-1 (source package) > fixed on branch: squirrelmail 2:1.4.4-11 (source package) > fixed on branch: squirrelmail 2:1.4.9a-2 (source package) > fix is available for the selected suite (etch) > ...
Something is wrong because the -3 version is known to the tracker, but not listed in your output. > I think debsecan should extend VersionAPT to use > apt_pkg.UpstreamVersion(), > so the decision can be modified to return something like: > > If the installed version is the same or greater than any of the > other_versions that have the same upstream version, then it is > not vulnerable. This doesn't work because there might be a -4 version in unstable which hasn't got the fix. (This is more apparent with the usual -1+etch1 versioning scheme.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
