I'm also experiencing this behavior. After upgrading to lenny 5.0.5, `debsecan
--suite lenny --only-fixed` lists these advisories, as well as many others (648
total):
CVE-2009-1300 apt (fixed, remotely exploitable, high urgency)
CVE-2009-1358 apt (fixed, remotely exploitable, high urgency)
CVE-2009-1300 apt-utils (fixed, remotely exploitable, high urgency)
CVE-2009-1358 apt-utils (fixed, remotely exploitable, high urgency)
Listing the details of the apt package:
CVE-2009-1300 (fixed, remotely exploitable, high urgency)
apt 0.7.20 does not check when the date command returns an "invalid ...
installed: apt-utils 0.7.20.2+lenny2
(built from apt 0.7.20.2+lenny2)
fixed in unstable: apt 0.7.21 (source package)
fixed on branch: apt 0.6.46.4-0.1+etch1 (source package)
fixed on branch: apt 0.7.20.2+lenny1 (source package)
fixed on branch: apt 0.7.20.2+squeeze1 (source package)
fixed on branch: apt 0.7.25.3 (source package)
fix is available for the selected suite (lenny)
So you can see that the vulnerability was fixed in apt version
0.7.20.2+lenny1. I have apt version 0.7.20.2+lenny2 and debsecan considers my
version vulnerable, so I believe this is a bug in debsecan.
