It contains, among others, <package name="sys-kernel/gentoo-dev-sources" auto="yes" arch="*"> <unaffected range="ge">2.6.7-r7</unaffected> <vulnerable range="ge">2.6</vulnerable> </package> And whatever you do, glsa-check will report the system affected. <vulnerable range="lt">2.6.7-r7</vulnerable> corrects this (same for other kernel source flavours). Reproducible: Always Steps to Reproduce:
This is a problem with the GLSA, which is incompatible with the way glsa-check handles ranges. We'll correct it soon.
This isn't a bug with the GLSA - although this can be changed to "lt" for gentoo-dev-sources, it cannot for aa and ck sources (and a few others) since they have 2.4 trees that are /not/ vulnerable and "lt" would pick them up as such. Hence, glsa-check should evaluate vulnerable ranges and then subtract unaffected ranges rather than the current algorithm of doing things and no false errors should occur. Adding genone to the CC so he can have a look at this.
Plasmaroo this style from the Coordinator Guide should work with glsa-check: unaffected<=1.2.8-r2 unaffected>=1.2.10 affected<1.2.10
glsa-200409-28 has a similar problem (except there is no easy workaround). <package name="x11-libs/gtk+" auto="yes" arch="*"> <unaffected range="ge">2.4.9-r1</unaffected> <unaffected range="lt">2.0.0</unaffected> <vulnerable range="lt">2.4.9-r1</vulnerable> </package> Here, <vulnerable range="lt">2.4.9-r1</vulnerable> shadows the whole unaffected 1.2 slot. All in all, it seems the scheme currently used is ambiguos at best. I think each <vulnarable> should have "min" and "max" attributes; then <unaffected> becomes redundant.
Yes, lack of ranges is a known problem, however this won't be changed until portage itself has proper support for it.
Tim will you fix GLSA 200407-12 with my workaround from comment #3?
Re: comment #4 and comment #5 : It's a problem in glsa-check that is being addressed in bug 65664 This bug should only address the issue in 200407-12.
I fixed GLSA 200407-12 (+ added development-sources fixed version and CAN reference). Evgeny: it should work now, please double-check.
Is solved, doesn't appear anymore.
Then it's closed :)