$ glsa-check -l affected 201401-04 [N] Python: Multiple vulnerabilities ( dev-lang/python ) 201503-10 [N] Python: Multiple vulnerabilities ( dev-lang/python ) $ glsa-check --print 201401-04 GLSA 201401-04: Python: Multiple vulnerabilities ============================================================================ Synopsis: Multiple vulnerabilities have been found in Python, the worst of which allow remote attackers to cause a Denial of Service condition. Announced on: January 06, 2014 Last revised on: July 07, 2014 : 04 Affected package: dev-lang/python Affected archs: All Vulnerable: <3.3.2-r1 Unaffected: >=~3.2.5-r1, >=~2.6.8, >=~2.7.3-r1, >=3.3.2-r1, >=~2.6.9, >=~2.7.4, >=~2.7.5, >=~2.7.6, >=~2.7.7, >=~2.7.8, >=~2.7.9 Related bugs: 325593, 355927, 358663, 396329, 403437, 469988 [...] The system only has 2.7.10 and 3.4.3 installed. To me this looks like glsa-check erroneously believes that 2.7.10 < 2.7.9, maybe because it does string-sort/-comparison instead of looking at version components. The second GLSA above (201503-10) exhibits the same symptoms, with these version markers: Vulnerable: <3.3.5-r1 Unaffected: >=3.3.5-r1, >=~2.7.9-r1
I see the same here. % glsa-check -t all This system is affected by the following GLSAs: 201401-04 201503-10 % qlist -ICve python dev-lang/python-2.7.10 dev-lang/python-3.3.5-r1 dev-lang/python-3.4.3
I was investigating glsa-check to make sure that it did not have a bug with these GLSAs and it does not. The GLSAs need to be updated to account for 2.7.10 since the current GLSAs are using the "rge" range operator for the 2.7.9 versions of python, that is stating that 2.7.10 is vulnerable when it is not.
This is another instance of the current GLSA format not properly supporting SLOTs. I have just added a few more unaffected versions (up to Python 2.7.15) which will hopefully fix this for quite some time.
That time is up as glsa-check is now reporting a problem with python-2.7.16
(In reply to Neil Bothwick from comment #4) > That time is up as glsa-check is now reporting a problem with python-2.7.16 Fixed now. Missing slot on the GLSA.
Thanks, ignoring GLSAs makes me nervous.