* Aneurin Price: > I'm running sarge with clamav from debian-volatile, and debsecan > reports some vulnerabilities with it. I'm fairly sure that the version > I have installed (0.91.2-0volatile1) is in fact okay, and that the > problem is simply that debsecan doesn't understand volatile - based on > the vulnerability descriptions which seem to be telling me that the > vulnerabilities are fixed in the version I'm using.
Actually, debsecan should be able to deal with this situation. I guess that CVE-2007-4560 is an example for this kind of problem. We've marked it as fixed in version 0.91.2-1, but volatile contains 0.91.2-0volatile1, which is less than that. I suppose we could mark it as fixed in 0.91.2, which would cover both cases (and wouldn't introduce a false negative if this bug was in fact fixed upstream). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
