-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/03/2016 04:00 PM, Grant Edwards wrote: > I'm sure I'm just being stupid, but I don't understand the lists of > affected and unaffected version numbers in Gentoo security > advisories. > > For example: > > Package dev-libs/openssl on all architectures Affected > versions < 1.0.2f > > Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= > 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= > 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, > revision >> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, > revision >= 0.9.8z_p15 > > If it's true that versions >= 0.9.8z_p8 are unaffected, why is > there a need to list that versions >= 0.9.8z_p[9-15] are > unaffected? Are <> relationships betwen version numbers within the > 0.9.8z_pNNN seriels not transitive? >
The "revision >=" operator in GLSAs indicates "any -r# revision of the version greater than or equal to the indicated revision", so this is saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 *is* affected. Jonathan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJW2NLFAAoJEEIQbvYRB3mg0bcQAJ1q+HjadMnxf+c/8JwF0w/U qQOi7GqaJr2k4zq3I50MxltlsPxyT+wlmq08bEk0nBZ59r/lRhTqsqZtYJVLHyXH EvwXIq5K7MHvdgNoAmW6LXPxoVc3vQssMKWq5ypY6ZOqteGl7gSsv+M445L9vyMp 7dq63FyxRWWTWY0Wp3og0Do7HBaJTpNjVxjCeXGwOTx4LGYY+ef1Gec+AJbCiIfE FbQhcagVGPQqolH8vc9Fj/Erw9JwX6kw8KewGv6fJC/7O2cI2urcp6Lc1PBfDEfW to46VJ0qXw3ZO432QLH63iAKmi2BDJbhRUnvv9h14O4Ac+dJEsvMVwElrDA3kZt9 yo9sEFzNMTXELi5chFB4XgDJ47h4/bvP08SQ/OukFwaoH1oSSrWGhLpAmb9VfJOE VvzIhXtL/Fm/6nuAKYfZOvV4ad/XhPqRYud6VkpklcPBZEj5ABR8af16oOYqJiZX 9fn6FtGzH9vOF89Q13BDobhU4dCgxGwzPrSxVFVvGFmTivaysb/MOzGon/W+5r8K DxdlDhuix/lSWaJv7BZSrBfnxj2D51COP1sj4tCwSAZMucv0QbqQtM+XC8ShtAVF mwNuhGS2NEusEqF7Y40AQKuEfugkSpTukHXqWE7dbBp5C7b8mYTey5Ctuq9GKG3+ 51fTQlzO8R6KfzJObyaQ =1iq3 -----END PGP SIGNATURE-----
