Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 406391 - GLSA 201202-08 false positive for =net-misc/stunnel-3*
Summary: GLSA 201202-08 false positive for =net-misc/stunnel-3*
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.securelist.com/en/advisori...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-01 06:10 UTC by Ulrich Müller
Modified: 2012-07-30 23:30 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2012-03-01 06:10:01 UTC 
+++ This bug was initially created as a clone of Bug #379859 +++

Today, glsa-check reports that my system would be affected by a vulnerability in net-misc/stunnel-3.26. However, the upstream bug clearly states that only versions 4.40 and 4.41 are affected, so it is a false positive.

Could the GLSA be fixed please, such that stunnel-3* is excepted from the list of vulnerable versions?

(In fact, it looks like there never was any vulnerable version of stunnel in the Portage tree. It was updated from 4.36 to 4.44 immediately.)
Comment 1 Ulrich Müller gentoo-dev 2012-06-24 15:48:31 UTC 
Ping (after three months).
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-30 23:30:18 UTC 
Sorry for the delay; there was an issue bringing the GLSA back up in GLSAMaker for editing.

I have committed GLSA 201202-08:2 which adds <net-misc/stunnel-4 as unaffected: 
http://www.gentoo.org/security/en/glsa/glsa-201202-08.xml

No errata to be published: Error in affected/unaffected versions number, but people using stable packages and applying GLSA instructions are protected anyway