I have following package installed: dev-java/sun-jdk selected: 1.4.2.17 1.5.0.15 1.6.0.06 glsa-check tool shows that system is affected by 3 GLSAs: 200705-23 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin dev-java/sun-jdk ) 200702-07 [N] Sun JDK/JRE: Execution of arbitrary code ( dev-java/sun-jre-bin dev-java/sun-jdk ) 200701-15 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin dev-java/sun-jdk ) All 3 of them contain similar package versions: <affected> <package name="dev-java/sun-jdk" auto="yes" arch="*"> <unaffected range="ge">1.5.0.11</unaffected> <unaffected range="rge">1.4.2.14</unaffected> <unaffected range="rge">1.4.2.15</unaffected> <vulnerable range="lt">1.5.0.11</vulnerable> </package> ... </affected> <unaffected> doesn't contain JDKs >1.4.2.15, so .16 and .17 are considered vulnerable, as DTD for glsa says: The r* range information is revision-specific. For instance, rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4 I propose small change to <package> tag: adding slot attribute to denote SLOT (with default value of "0"), that way it would be possible to create entries like: <affected> <package name="dev-java/sun-jdk" slot="1.4" auto="yes" arch="*"> <unaffected range="ge">1.4.2.14</unaffected> <vulnerable range="lt">1.4.2.14</vulnerable> </package> <package name="dev-java/sun-jdk" slot="1.5" auto="yes" arch="*"> <unaffected range="ge">1.5.0.11</unaffected> <vulnerable range="lt">1.5.0.11</vulnerable> </package> ... </affected>
GLSA slot dependencies are being discussed in bug 106677. We need to update the old GLSAs to reflect the new versions still :-(
Updated all three GLSAs, thanks for the report. Please reopen if I missed something. Let's just hope we can get slot support soon.