[Python-modules-team] CVE-2008-1447: python-dns fix version issue
Scott Kitterman
scott at kitterman.com
Mon May 17 11:32:34 BST 2021
Security tracker is correct for python-dns.
Scott K
On May 14, 2021 6:22:12 AM UTC, Brian May <brian at linuxpenguins.xyz> wrote:
>Forwarding this request to security at debian.org who deal with the
>security infrastructure in Debian.
>
>Andrei Nikonov <nikonovandrey1994 at gmail.com> writes:
>
>> Dear Mr. Kitterman and Python Modules Team,
>>
>> I am writing to you as you are mentioned as a maintainers of
>*python-dns *
>> package.
>>
>> I did some research about Debian vulnerability data and found an
>issue.
>>
>> If I check CVE-2008-1447
>> <https://security-tracker.debian.org/tracker/CVE-2008-1447> with
>Debian
>> Security Tracker page, I will see that fixed version for python-dns
>is
>> *2.3.1-5* (the same version is on page of JSON-formatted security
>data
>> <https://security-tracker.debian.org/tracker/data/json>)
>>
>> But information of this CVE in the file of OVAL data for Buster
>> <https://www.debian.org/security/oval/oval-definitions-buster.xml> is
>> different. Definition of that CVE starts from line 74982 in that
>file.
>> Criterion below tells that
>> *None DPKG is earlier than 2.43-1. *
>>
>> My questions are:
>> 1. Should I consider fixed version 2.43-1 for python-dns?
>> 2. Why OVAL criterion references to "None" object? How should I
>interpret
>> this?
>> 3. Should I rely on OVAL files?
>>
>> Hoping for an answer.
>> --
>> Andrey Nikonov,
>> Security engineer,
>> "Frodex" Ltd.
>> Ufa, Russia.
>> _______________________________________________
>> Python-modules-team mailing list
>> Python-modules-team at alioth-lists.debian.net
>>
>https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
More information about the Python-modules-team
mailing list