I have Apache 1.3 merged, but glsa-check states that my system is affected by 200403-04 GLSA. This is obviously not true; a line in GLSA says: Unaffected: =1.3* >=2.0.49
The problem is more general: if the unaffected range is inside the vulnerable range (as 1.3.* is inside <=2.0.48) glsa-check doesn't use that unaffected range. I'll see if I can find a solution that covers all cases.
I have gentoo-dev-sources-2.6.7-r11, but glsa-check states that my system is affected by 200407-12 GLSA. But a line in GLSA says: Unaffected: >=2.6.7-r7
Similar for me. glsa-check says 200407-02 [N] Linux Kernel: Multiple vulnerabilities ( sys-kernel/rsbac-dev-sources sys-kernel/alpha-sources sys-kernel/ck-sources ... ) glsa-check -d 200407-02 gives Affected package: sys-kernel/development-sources Affected archs: All Vulnerable: <2.6.7 I have development-sources-2.6.7 installed. I saw something similar with kdebase, where the version I have installed is not affected, but glsa-check want s to rebuild.
A bit more searching in the forums and I see that the problem is due to glsa-check not yet handling slots properly. Slots have been a bit of a mystery to me, but I do see that I have several versions of developments-sources and kdebase installed in /var/db/pkg, including versions that are affected. Now I have to work out whether they can be pruned, and more generally have a closer look at slots ...
*** Bug 57133 has been marked as a duplicate of this bug. ***
*** Bug 48766 has been marked as a duplicate of this bug. ***
The unaffected-in-vulnerable range should be fixed in 0.2.0_pre10, the kernel SLOT issue isn't a bug in my eyes.