[Python-modules-team] CVE-2008-1447: python-dns fix version issue
Brian May
brian at linuxpenguins.xyz
Fri May 14 07:22:12 BST 2021
Forwarding this request to security at debian.org who deal with the
security infrastructure in Debian.
Andrei Nikonov <nikonovandrey1994 at gmail.com> writes:
> Dear Mr. Kitterman and Python Modules Team,
>
> I am writing to you as you are mentioned as a maintainers of *python-dns *
> package.
>
> I did some research about Debian vulnerability data and found an issue.
>
> If I check CVE-2008-1447
> <https://security-tracker.debian.org/tracker/CVE-2008-1447> with Debian
> Security Tracker page, I will see that fixed version for python-dns is
> *2.3.1-5* (the same version is on page of JSON-formatted security data
> <https://security-tracker.debian.org/tracker/data/json>)
>
> But information of this CVE in the file of OVAL data for Buster
> <https://www.debian.org/security/oval/oval-definitions-buster.xml> is
> different. Definition of that CVE starts from line 74982 in that file.
> Criterion below tells that
> *None DPKG is earlier than 2.43-1. *
>
> My questions are:
> 1. Should I consider fixed version 2.43-1 for python-dns?
> 2. Why OVAL criterion references to "None" object? How should I interpret
> this?
> 3. Should I rely on OVAL files?
>
> Hoping for an answer.
> --
> Andrey Nikonov,
> Security engineer,
> "Frodex" Ltd.
> Ufa, Russia.
> _______________________________________________
> Python-modules-team mailing list
> Python-modules-team at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
--
Brian May <brian at linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
More information about the Python-modules-team
mailing list