| 1 |
On 2016-03-04, Jonathan Callen <jcallen@g.o> wrote: |
| 2 |
> On 03/03/2016 04:00 PM, Grant Edwards wrote: |
| 3 |
> |
| 4 |
>> I'm sure I'm just being stupid, but I don't understand the lists of |
| 5 |
>> affected and unaffected version numbers in Gentoo security |
| 6 |
>> advisories. |
| 7 |
>> |
| 8 |
>> For example: |
| 9 |
>> |
| 10 |
>> Package dev-libs/openssl on all architectures Affected |
| 11 |
>> versions < 1.0.2f |
| 12 |
>> |
| 13 |
>> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= |
| 14 |
>> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= |
| 15 |
>> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, |
| 16 |
>> revision |
| 17 |
>>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, |
| 18 |
>> revision >= 0.9.8z_p15 |
| 19 |
>> |
| 20 |
>> If it's true that versions >= 0.9.8z_p8 are unaffected, why is |
| 21 |
>> there a need to list that versions >= 0.9.8z_p[9-15] are |
| 22 |
>> unaffected? Are <> relationships betwen version numbers within the |
| 23 |
>> 0.9.8z_pNNN seriels not transitive? |
| 24 |
> |
| 25 |
> The "revision >=" operator in GLSAs indicates "any -r# revision of the |
| 26 |
> version greater than or equal to the indicated revision", so this is |
| 27 |
> saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 |
| 28 |
> *is* affected. |
| 29 |
|
| 30 |
Doh! After all these years, I just now realized that some of those |
| 31 |
expressions are about "version" and some are about "revision"! I'd |
| 32 |
always been reading them as the same thing. |
| 33 |
|
| 34 |
I knew it I had to missing something basic... |
| 35 |
|
| 36 |
Thanks for the clue! |
| 37 |
|
| 38 |
-- |
| 39 |
Grant Edwards grant.b.edwards Yow! I would like to |
| 40 |
at urinate in an OVULAR, |
| 41 |
gmail.com porcelain pool -- |
Archives