Hi, I'm working with Debian OVAL feeds (the ones in https://www.debian.org/security/oval/) A lot of definitions have a criterion saying that the version is "earlier than 0", e.g.
<criterion comment="sendmail DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:5"/> What's the meaning of this version, that it's not addressed yet? If so, I find some discrepancies, e.g. in the Jessie feed we have sendmail CVE-1999-1580 with that version. If we check in the security tracker - https://security-tracker.debian.org/tracker/CVE-1999-1580 it says that the status for Jessie is "fixed" for version "8.14.4-8+deb8u2". However some having that version are actually tracked as "vulnerable" in the security tracker. Is this expected? What would the recommendation for handling these be? Thanks, Lyubo
