Forwarding this request to [email protected] who deal with the security infrastructure in Debian.
Andrei Nikonov <[email protected]> writes: > Dear Mr. Kitterman and Python Modules Team, > > I am writing to you as you are mentioned as a maintainers of *python-dns * > package. > > I did some research about Debian vulnerability data and found an issue. > > If I check CVE-2008-1447 > <https://security-tracker.debian.org/tracker/CVE-2008-1447> with Debian > Security Tracker page, I will see that fixed version for python-dns is > *2.3.1-5* (the same version is on page of JSON-formatted security data > <https://security-tracker.debian.org/tracker/data/json>) > > But information of this CVE in the file of OVAL data for Buster > <https://www.debian.org/security/oval/oval-definitions-buster.xml> is > different. Definition of that CVE starts from line 74982 in that file. > Criterion below tells that > *None DPKG is earlier than 2.43-1. * > > My questions are: > 1. Should I consider fixed version 2.43-1 for python-dns? > 2. Why OVAL criterion references to "None" object? How should I interpret > this? > 3. Should I rely on OVAL files? > > Hoping for an answer. > -- > Andrey Nikonov, > Security engineer, > "Frodex" Ltd. > Ufa, Russia. > _______________________________________________ > Python-modules-team mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team -- Brian May <[email protected]> https://linuxpenguins.xyz/brian/ _______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
