See bug 713484 comment 16 for more details.
I think the xml should have this package contents: <affected> <package name="dev-lang/php" auto="yes" arch="*"> <unaffected range="ge">7.2.29</unaffected> <unaffected range="ge">7.3.16</unaffected> <unaffected range="ge">7.4.4</unaffected> <vulnerable range="lt">7.2.29</vulnerable> <vulnerable range="lt">7.3.16</vulnerable> <vulnerable range="lt">7.4.4</vulnerable> </package> </affected> can this be fixed upstream?
We are working in this, but it's not that easy. See the following pseudo example with some debug output: > (chroot) dev1 ~ # # eshowkw dev-lang/php > Keywords for dev-lang/php: > | | u | > | a a p s a r | n | > | m r i p h m s p l i m | e u s | r > | d a m a p c x p 6 3 a p s i | a s l | e > | 6 r 6 6 p 6 8 p 8 9 r h c p | p e o | p > | 4 m 4 4 c 4 6 a k 0 c a v s | i d t | o > ----------+-----------------------------+---------+------- > 7.2.29 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.2 | gentoo > 7.2.30 | + + + ~ + + + + o ~ + ~ o ~ | 7 o | gentoo > ----------+-----------------------------+---------+------- > 7.3.16 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.3 | gentoo > [I]7.3.17 | + + + ~ + + + + o ~ + ~ o ~ | 7 o | gentoo > ----------+-----------------------------+---------+------- > [I]7.4.4 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.4 | gentoo > 7.4.5 | + + + ~ + + + + o ~ + ~ o ~ | 7 o | gentoo > (chroot) dev1 ~ # grep -B 6 '</package>' /var/db/repos/gentoo/metadata/glsa/glsa-202003-57.xml > <unaffected range="ge">7.2.29</unaffected> > <unaffected range="ge">7.3.18</unaffected> > <unaffected range="ge">7.4.5</unaffected> > <vulnerable range="lt">7.2.29</vulnerable> > <vulnerable range="lt">7.3.18</vulnerable> > <vulnerable range="lt">7.4.5</vulnerable> > </package> > (chroot) dev1 ~ # glsa-check -t 202003-57 > {'arch': '*', 'auto': True, 'vul_vers': ['<7.4.5'], 'unaff_vers': ['>=7.2.29', '>=7.3.18', '>=7.4.5'], 'vul_atoms': ['<d > ev-lang/php-7.4.5'], 'unaff_atoms': ['>=dev-lang/php-7.2.29', '>=dev-lang/php-7.3.18', '>=dev-lang/php-7.4.5']} > v_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4'] > u_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4', 'dev-lang/php-7.4.4'] > v_installed reduced: [] > This system is not affected by any of the listed GLSAs As you can see, the lowest unaffected range will clear out everything else which is wrong. Using rge helped here but only at revision level which is not the case.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=5f514a6bc0b6082d08328fcc290cbba6761ee102 commit 5f514a6bc0b6082d08328fcc290cbba6761ee102 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-23 15:25:14 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-23 15:25:14 +0000 [ GLSA 202003-57 ] Use slots Closes: https://bugs.gentoo.org/718844 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> glsa-202003-57.xml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-)
*** Bug 718600 has been marked as a duplicate of this bug. ***