~~~~~~~~~~~~~~~~ root@verda / [20]# glsa-check -tv 201401-04 This system is affected by the following GLSAs: [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. 201401-04 [N] [remote ] Python: Multiple vulnerabilities ( dev-lang/python-2.7.5-r2 dev-lang/python-3.2.5-r2 ) ~~~~~~~~~~~~~~~~ But according to this GLSA unaffected versions are: ~~~~~~~ revision >= 3.2.5-r1, revision >= 2.6.8, revision >= 2.7.3-r1, >= 3.3.2-r1 ~~~~~~~ So it seems to me that the system is not affected, since: ~~~~~~~ root@verda / [21]# equery list python * Searching for python ... [I--] [??] dev-lang/python-2.7.5-r2:2.7 [I--] [??] dev-lang/python-3.2.5-r2:3.2 ~~~~
Ok, I just thought this might have something to do with the fact that those ebuilds are not present in the tree, but, well, then this behaviour of `glsa-check` seems weird to me. And I couldn't find any mentions of this in documentation or forums or bugs.
$ equery list python * Searching for python ... [IP-] [ ] dev-lang/python-2.7.6:2.7 [IP-] [ ] dev-lang/python-3.2.5-r3:3.2 [IP-] [ ] dev-lang/python-3.3.3:3.3 $ glsa-check -l affected [...] 201401-04 [N] Python: Multiple vulnerabilities ( dev-lang/python ) $ I also noticed this: # glsa-check --pretend affected Checking GLSA 201401-04 >>> No upgrade path exists for these packages: dev-lang/python-2.7.6
glsa-check is working as intended, it's oblivious to slots and the advisory is not working around that fact properly. This is basically a dupe of bug 106677, I'll dupe it once a fixed advisory is in the tree.
*** Bug 497426 has been marked as a duplicate of this bug. ***
I added the additional versions that are unaffected, too. The fixed advisory is committed and should show up in the next 30 minutes. Please reopen if you still get this issue then. *** This bug has been marked as a duplicate of bug 106677 ***
