I believe <unaffected range="rge">9.0.10</unaffected> should be added as well? Currently glsa-check will flag 9.0.10 as being affected -- which is not true.
=dev-db/postgresql-server-9.0.10 is not currently stable on any arches and GLSA's only cover the stable tree.
Then why is glsa-check telling me that my 9.0.10 is vulnerable?!
The current rules for this glsa explicitly say that 9.0.10 is affected though -- but that's not what all the security reports say. Whether the package is stable or not is irrelevant. Reopen!
(In reply to comment #3) > The current rules for this glsa explicitly say that 9.0.10 is affected > though -- but that's not what all the security reports say. Whether the > package is stable or not is irrelevant. Reopen! GLSAs (and therefore glsa-check) have known limitations when dealing with slots [1][2]. If the package was stable (or goes stable in the future), we can manually add 9.0.10 to the GLSA. In the meantime, we cannot add every non-stable version or maintainer revision bump to postgresql-server and all of the other slotted packages like it. Whether a package is stable or non-stable is relevant here: non-stable packages are best-effort and we have many stable packages that require our efforts [3]. This is one of the drawbacks to running non-stable packages. [1] https://bugs.gentoo.org/show_bug.cgi?id=106677 [2] http://www.gentoo-wiki.info/Glsa-check#Known_problems [3] https://bugs.gentoo.org/buglist.cgi?list_id=1347326&resolution=---&status_whiteboard_type=allwordssubstr&query_format=advanced&status_whiteboard=glsa&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&bug_status=VERIFIED&product=Gentoo%20Security
postgresql-server-9.0.15 does seem to be stable on x86 and amd64, but it's still triggering this glsa. reopen/fix?
Bump. (Shoudn't this bug be re-opened?)
(In reply to Dennis New from comment #6) > Bump. (Shoudn't this bug be re-opened?) I can't reproduce this bug.
You have 9.0.15 installed, and glsa-check isn't claiming that it's vulnerable?
I have successfully reproduced this bug on a stable amd64 system with the following steps: emerge --sync emerge -a postgresql-server:9.0 eix -e postgresql-server Installed versions: 9.0.15(9.0)(01:59:32 01/20/14) glsa-check -l affected [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. 201209-24 [N] PostgreSQL: Multiple vulnerabilities ( dev-db/postgresql-server )
I just marked the current stable versions (and a few previous one as well) as unaffected. The change should propagate within the hour. Sorry about the inconvenience. We're currently working on slot support to properly express affected version ranges (see the gentoo-security mailing list). Until then, if an issue like this pops up again for any stable package, don't hesitate to contact us.
