Dear QA Group, I am writing to you as you are mentioned as a maintainer of *abiword * package.
I did some research about Debian vulnerability data and found an issue. If I check CVE-2005-2964 <https://security-tracker.debian.org/tracker/CVE-2005-2964> with Debian Security Tracker page, I will see that fixed version is *2.2.10-1* (the same version is on page of JSON-formatted security data <https://security-tracker.debian.org/tracker/data/json>) But information of this CVE in the file of OVAL data for Buster <https://www.debian.org/security/oval/oval-definitions-buster.xml> is different. Definition of that CVE starts from line 33665 in that file. Criterion below tells that *None DPKG is earlier than 2.4.1-1. * My questions are: 1. Should I consider fixed version 2.4.1-1 for abiword? 2. Why OVAL criterion references to "None" object? How should I interpret this? 3. Should I rely on OVAL files? Hoping for an answer. -- Andrey Nikonov, Security engineer, "Frodex" Ltd. Ufa, Russia.
