Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Jonathan Callen <jcallen@g.o>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: I don't understand version numbers in Gentoo security advisories
Date: Fri, 04 Mar 2016 00:12:18
Message-Id: 56D8D2C5.3010606@gentoo.org
In Reply to: [gentoo-user] I don't understand version numbers in Gentoo security advisories by Grant Edwards
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA512
3
4 On 03/03/2016 04:00 PM, Grant Edwards wrote:
5 > I'm sure I'm just being stupid, but I don't understand the lists of
6 > affected and unaffected version numbers in Gentoo security
7 > advisories.
8 >
9 > For example:
10 >
11 > Package dev-libs/openssl on all architectures Affected
12 > versions < 1.0.2f
13 >
14 > Unaffected versions >= 1.0.2f, revision >= 1.0.1r, revision >=
15 > 1.0.1s, revision >= 1.0.1t, revision >= 0.9.8z_p8, revision >=
16 > 0.9.8z_p9, revision >= 0.9.8z_p10, revision >= 0.9.8z_p11,
17 > revision
18 >> = 0.9.8z_p12, revision >= 0.9.8z_p13, revision >= 0.9.8z_p14,
19 > revision >= 0.9.8z_p15
20 >
21 > If it's true that versions >= 0.9.8z_p8 are unaffected, why is
22 > there a need to list that versions >= 0.9.8z_p[9-15] are
23 > unaffected? Are <> relationships betwen version numbers within the
24 > 0.9.8z_pNNN seriels not transitive?
25 >
26
27 The "revision >=" operator in GLSAs indicates "any -r# revision of the
28 version greater than or equal to the indicated revision", so this is
29 saying that 0.9.8z_p15 isn't affected, nor is 0.9.8z_p15-r1, but 1.0.0
30 *is* affected.
31
32 Jonathan
33 -----BEGIN PGP SIGNATURE-----
34 Version: GnuPG v2
35
36 iQIcBAEBCgAGBQJW2NLFAAoJEEIQbvYRB3mg0bcQAJ1q+HjadMnxf+c/8JwF0w/U
37 qQOi7GqaJr2k4zq3I50MxltlsPxyT+wlmq08bEk0nBZ59r/lRhTqsqZtYJVLHyXH
38 EvwXIq5K7MHvdgNoAmW6LXPxoVc3vQssMKWq5ypY6ZOqteGl7gSsv+M445L9vyMp
39 7dq63FyxRWWTWY0Wp3og0Do7HBaJTpNjVxjCeXGwOTx4LGYY+ef1Gec+AJbCiIfE
40 FbQhcagVGPQqolH8vc9Fj/Erw9JwX6kw8KewGv6fJC/7O2cI2urcp6Lc1PBfDEfW
41 to46VJ0qXw3ZO432QLH63iAKmi2BDJbhRUnvv9h14O4Ac+dJEsvMVwElrDA3kZt9
42 yo9sEFzNMTXELi5chFB4XgDJ47h4/bvP08SQ/OukFwaoH1oSSrWGhLpAmb9VfJOE
43 VvzIhXtL/Fm/6nuAKYfZOvV4ad/XhPqRYud6VkpklcPBZEj5ABR8af16oOYqJiZX
44 9fn6FtGzH9vOF89Q13BDobhU4dCgxGwzPrSxVFVvGFmTivaysb/MOzGon/W+5r8K
45 DxdlDhuix/lSWaJv7BZSrBfnxj2D51COP1sj4tCwSAZMucv0QbqQtM+XC8ShtAVF
46 mwNuhGS2NEusEqF7Y40AQKuEfugkSpTukHXqWE7dbBp5C7b8mYTey5Ctuq9GKG3+
47 51fTQlzO8R6KfzJObyaQ
48 =1iq3
49 -----END PGP SIGNATURE-----

Replies

Subject Author
[gentoo-user] Re: I don't understand version numbers in Gentoo security advisories Grant Edwards <grant.b.edwards@×××××.com>
Report Message
Find on MARC Find on Google Groups