Summary: | GLSA 202004-10 lists unaffected 1.0.2 and 1.1.0 ebuild(s) as vulnerable | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | mentalstring <mentalstring> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED CANTFIX | ||
Severity: | normal | CC: | cmwatts, hlein, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Fix affected OpenSSL versions for GLSA 202004-10 |
Description
mentalstring
2020-04-26 08:19:05 UTC
Same status here. GLSA-202004-10 has caused Nessus to build plugin # 135946, which incorrectly marks anything prior to 1.1.1g as vulnerable. Specifically 1.0.2u is the one I'm having trouble with. Created attachment 643856 [details]
Fix affected OpenSSL versions for GLSA 202004-10
Same issue here. 1.0.2u is not affected by either of the CVEs in this GLSA.
I think the attached patch to glsa-202004-10.xml is the right way to fix it, based on how other GLSAs handle multiple slots with different affected versions.
Unfortunately I do not know the right way to submit PRs for the glsa.git repo, as it is not mirrored to github like the main portage tree is.
Closing as CANTFIX: OpenSSL in Gentoo never used slots and subslot format was too specific which makes it impossible for us to proper target affected versions. |