On 2013-03-26 14:27, Florian Weimer wrote:
* Matthew Gabeler-Lee:
Today debsecan alerted me about CVE-2013-1824 (a php5 issue). Based
on the
PTS page for php5 and my system update schedule, I can say with near
certainty that I installed the fixed version of php5 more than two
weeks
before it sent the report. Even if I'm mistaken on the two weeks, I
certainly had installed the fixed version before the report was
generated.
The fact that CVE-2013-1824 was fixed in an older DSA was only
recorded yesterday. As a a result, there was an unfixed -> fixed
transition. I suppose it should be possible to suppress reporting it
in cases where the version number does not actually change.
If I'm understanding what you're saying correctly (not quite sure I
am), I'm a little worried that it might cause an alert to be suppressed
even when a vulnerable version is still installed. The alternate method
I'm suggesting is to suppress reports for unfixed->fixed if the
installed version is >= the fixed version.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
