Hi there, I'm having a bit of trouble with version numbers reported in DSAs. We keep our stable systems patched by updating against security.debian.org but have an external audit process, which compares the versions of installed packages with the versions reported as fixed in each DSA.
The problem is that the versions reported in the DSA are often missing the epoch; take for example the bind9 DSA-1847 which says that the problem is fixed in version 9.5.1.dfsg.P3-1 when the version on my patched Lenny system is actually 1:9.5.1.dsfg.P3-1. If I hadn't applied the patch, I'd be running an earlier version (say 1:9.5.1), which dpkg --compare-versions would still show as being more recent than the "fixed" version reported in the DSA. Is it possible to include the epoch in the version number reported in the DSA, so it matches the actual version field of the Debian package which includes the fix? I presume this is simply a bug in the automated DSA issuing process... Cheers, Alex -- Alex Page Senior Systems Administrator, Systems & Technology Group Manchester Lab, IBM UK Phone: +44 (0) 161 836 2300 Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
