Dear Mr. Kitterman and Python Modules Team, I am writing to you as you are mentioned as a maintainers of *python-dns * package.
I did some research about Debian vulnerability data and found an issue. If I check CVE-2008-1447 <https://security-tracker.debian.org/tracker/CVE-2008-1447> with Debian Security Tracker page, I will see that fixed version for python-dns is *2.3.1-5* (the same version is on page of JSON-formatted security data <https://security-tracker.debian.org/tracker/data/json>) But information of this CVE in the file of OVAL data for Buster <https://www.debian.org/security/oval/oval-definitions-buster.xml> is different. Definition of that CVE starts from line 74982 in that file. Criterion below tells that *None DPKG is earlier than 2.43-1. * My questions are: 1. Should I consider fixed version 2.43-1 for python-dns? 2. Why OVAL criterion references to "None" object? How should I interpret this? 3. Should I rely on OVAL files? Hoping for an answer. -- Andrey Nikonov, Security engineer, "Frodex" Ltd. Ufa, Russia.
_______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
