I don't know, if this is the same known problem as with slots but glsa-check has
problems with some revision-declarations:

# glsa-check -t 200502-08
This system is affected by the following GLSA:
200502-08

# glsa-check -p 200502-08
Checking GLSA 200502-08
The following updates will be performed for this GLSA:
     dev-db/postgresql-8.0.1-r3 (7.4.8)


The GLSA looks like this:
<affected>
  <package name="dev-db/postgresql" auto="yes" arch="*">
    <unaffected range="rge">7.4.7</unaffected>
    <unaffected range="ge">8.0.1</unaffected>
    <vulnerable range="lt">8.0.1</vulnerable>
  </package>
</affected>

From the DTD it seems, as if glsa-check thinks that the last number is the
revision instead of the first. So it thinks that the following are vulnerable:
7.4.6, 7.4.6-r1 and so on
and unaffected would be:
7.4.7, 7.4.7-r1
but affected is everything <8.0.1, so even:
7.4.8, as its not the same revision as 7.4.7, but below 8.0.1

Where from does glsa-check know, which number is in the same revision, and which
not?
Example: Kernel revisions are: 2.2.x, 2.4.x, 2.6.x, but Postgresql, php and
apache have revisions like: 1.3.x, 2.0.x or 7.x.x,8.0.x or 4.7.x,5.0.x and so on...

I think, the r* parameters in the glsa needs to define how revisions look like.