On 03/03/2016 23:00, Grant Edwards wrote: > I'm sure I'm just being stupid, but I don't understand the lists of > affected and unaffected version numbers in Gentoo security advisories. > > For example: > > Package dev-libs/openssl on all architectures > Affected versions < 1.0.2f > > Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= 1.0.1s, > revision >= 1.0.1t, revision >= 0.9.8z_p8, > revision >= 0.9.8z_p9, revision >= 0.9.8z_p10, > revision >= 0.9.8z_p11, revision >= 0.9.8z_p12, > revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, > revision >= 0.9.8z_p15 > > If it's true that versions >= 0.9.8z_p8 are unaffected, > why is there a need to list that versions >= 0.9.8z_p[9-15] are > unaffected? Are <> relationships betwen version numbers within the > 0.9.8z_pNNN seriels not transitive? >
Easiest possible answer, and highly likely to be the correct one: Someone rushed out a notice. They made typos. Or the extract script has bad logic and printed the wrong compare symbols. Or the transitiveness of the subject matter simply never occurred to the author. No need to get all technical on this. Yes strictly speaking it is incorrect. But if you've been following DROWN the intent is crystal clear and you can put it down to yet another bug. Pity we can't take the same attitude with what openssl upstream did with 1.0.2g -- Alan McKinnon alan.mckin...@gmail.com
