1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 03/03/2016 04:00 PM, Grant Edwards wrote: |
5 |
> I'm sure I'm just being stupid, but I don't understand the lists of |
6 |
> affected and unaffected version numbers in Gentoo security |
7 |
> advisories. |
8 |
> |
9 |
> For example: |
10 |
> |
11 |
> Package dev-libs/openssl on all architectures Affected |
12 |
> versions < 1.0.2f |
13 |
> |
14 |
> Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >= |
15 |
> 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >= |
16 |
> 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11, |
17 |
> revision |
18 |
>> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14, |
19 |
> revision >= 0.9.8z_p15 |
20 |
> |
21 |
> If it's true that versions >= 0.9.8z_p8 are unaffected, why is |
22 |
> there a need to list that versions >= 0.9.8z_p[9-15] are |
23 |
> unaffected? Are <> relationships betwen version numbers within the |
24 |
> 0.9.8z_pNNN seriels not transitive? |
25 |
> |
26 |
|
27 |
The "revision >=" operator in GLSAs indicates "any -r# revision of the |
28 |
version greater than or equal to the indicated revision", so this is |
29 |
saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0 |
30 |
*is* affected. |
31 |
|
32 |
Jonathan |
33 |
-----BEGIN PGP SIGNATURE----- |
34 |
Version: GnuPG v2 |
35 |
|
36 |
iQIcBAEBCgAGBQJW2NLFAAoJEEIQbvYRB3mg0bcQAJ1q+HjadMnxf+c/8JwF0w/U |
37 |
qQOi7GqaJr2k4zq3I50MxltlsPxyT+wlmq08bEk0nBZ59r/lRhTqsqZtYJVLHyXH |
38 |
EvwXIq5K7MHvdgNoAmW6LXPxoVc3vQssMKWq5ypY6ZOqteGl7gSsv+M445L9vyMp |
39 |
7dq63FyxRWWTWY0Wp3og0Do7HBaJTpNjVxjCeXGwOTx4LGYY+ef1Gec+AJbCiIfE |
40 |
FbQhcagVGPQqolH8vc9Fj/Erw9JwX6kw8KewGv6fJC/7O2cI2urcp6Lc1PBfDEfW |
41 |
to46VJ0qXw3ZO432QLH63iAKmi2BDJbhRUnvv9h14O4Ac+dJEsvMVwElrDA3kZt9 |
42 |
yo9sEFzNMTXELi5chFB4XgDJ47h4/bvP08SQ/OukFwaoH1oSSrWGhLpAmb9VfJOE |
43 |
VvzIhXtL/Fm/6nuAKYfZOvV4ad/XhPqRYud6VkpklcPBZEj5ABR8af16oOYqJiZX |
44 |
9fn6FtGzH9vOF89Q13BDobhU4dCgxGwzPrSxVFVvGFmTivaysb/MOzGon/W+5r8K |
45 |
DxdlDhuix/lSWaJv7BZSrBfnxj2D51COP1sj4tCwSAZMucv0QbqQtM+XC8ShtAVF |
46 |
mwNuhGS2NEusEqF7Y40AQKuEfugkSpTukHXqWE7dbBp5C7b8mYTey5Ctuq9GKG3+ |
47 |
51fTQlzO8R6KfzJObyaQ |
48 |
=1iq3 |
49 |
-----END PGP SIGNATURE----- |