When running glsa-check I got: glsa-check -t all This system is affected by the following GLSAs: 201010-01 201603-15 201206-15 For 201010-01 and 201206-15 (libpng), my libpng versions are: equery l libpng [IP-] [ ] media-libs/libpng-1.2.56:1.2 [IP-] [ ] media-libs/libpng-1.6.21:0/16 So libpng cannot be vulnerable according to the dump of the glsa Vulnerable: <1.5.10 Unaffected: >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51, >=~1.2.52, >=~1.2.53, >=~1.2.54, >=~1.2.55 Same for 201603-15(openssl) [IP-] [ ] dev-libs/openssl-0.9.8z_p8:0.9.8 [IP-] [ ] dev-libs/openssl-1.0.2h:0 Reproducible: Always
Hi, please check this bug. We have a lot of servers in Nagios with glsa-check and it reports vulnerabilities for unaffected packages. So lot of false positives. Thank you.
These GLSAs have had lots of revisions that might have affected glsa-check behavior: https://gitweb.gentoo.org/data/glsa.git/log/glsa-201010-01.xml https://gitweb.gentoo.org/data/glsa.git/log/glsa-201206-15.xml Please file a new bug if you fund incorrect behavior with the latest revisions of GLSAs and the latest version of gentoolkit. *** This bug has been marked as a duplicate of bug 575214 ***