[Python-modules-team] CVE-2008-1447: python-dns fix version issue
Andrei Nikonov
nikonovandrey1994 at gmail.com
Fri May 14 06:15:50 BST 2021
Dear Mr. Kitterman and Python Modules Team,
I am writing to you as you are mentioned as a maintainers of *python-dns *
package.
I did some research about Debian vulnerability data and found an issue.
If I check CVE-2008-1447
<https://security-tracker.debian.org/tracker/CVE-2008-1447> with Debian
Security Tracker page, I will see that fixed version for python-dns is
*2.3.1-5* (the same version is on page of JSON-formatted security data
<https://security-tracker.debian.org/tracker/data/json>)
But information of this CVE in the file of OVAL data for Buster
<https://www.debian.org/security/oval/oval-definitions-buster.xml> is
different. Definition of that CVE starts from line 74982 in that file.
Criterion below tells that
*None DPKG is earlier than 2.43-1. *
My questions are:
1. Should I consider fixed version 2.43-1 for python-dns?
2. Why OVAL criterion references to "None" object? How should I interpret
this?
3. Should I rely on OVAL files?
Hoping for an answer.
--
Andrey Nikonov,
Security engineer,
"Frodex" Ltd.
Ufa, Russia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20210514/25455723/attachment.htm>
More information about the Python-modules-team
mailing list