Thanks for the info, this solves the issue. I probably have been looking in the wrong direction.
-----Original Message----- From: Darac Marjal [mailto:mailingl...@darac.org.uk] Sent: donderdag 22 november 2012 15:51 To: debian-user@lists.debian.org Subject: Re: Debian Package Version system On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote: > Hi All, > > After performing some vulnerability scans on some our systems one of the > outcomes was that some software packages were out of date. > We`re using the package management system of Debian and all packages were > updated (apt-get update & apt-get (dist-)upgrade) prior to the scan. > The vulnerability scanner most likely compares the version against that of > the source code, which differs. > How can I tell which version in the debian package repository system > corresponds to which version of the source code. http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version states that a debian package has a version number that is formatted as: [epoch:]upstream_version[-debian_revision] That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified). So, taking some examples from my system: bash: 4.1-3 -> Upstream: 4.1 acpid: 1:2.0.7-1squeeze4 -> Upstream: 2.0.7 etckeeper: 0.48 -> Upstream: 0.48 > That way I can whitelist these software packages in our vulnerability scans. You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e7e899956e6065488dbc6623f76f36a275bf5a6...@ramnl-ex02.ram.nl
