Control: severity -1 wishlist Hi
On Tue, Jun 13, 2017 at 04:12:48PM +0000, 0x2a wrote: > Package: security.debian.org > Severity: important > > The generated OVAL tests only check the version of the source > package, not packages built from it. > > An example would be DSA-3872-1 (CVE-2017-5461, CVE-2017-5462, > CVE-2017-7502), where the test checks the *nss* package, not > *libnss3*, thus causing a false negative, since *nss* is not > installed. Some background: For our security-tracker we are intrested tracking fixes to the respective source packages. The OVAL files are generated out of that information of the security-tracker, thus as well only tracking source packages. Regards, Salvatore
