Version Numbers in DSAs

Hi there,

I'm having a bit of trouble with version numbers reported in DSAs. We keep our stable systems patched by updating against security.debian.org but have an external audit process, which compares the versions of installed packages with the versions reported as fixed in each DSA.

The problem is that the versions reported in the DSA are often missing the epoch; take for example the bind9 DSA-1847 which says that the problem is fixed in version 9.5.1.dfsg.P3-1 when the version on my patched Lenny system is actually 1:9.5.1.dsfg.P3-1. If I hadn't applied the patch, I'd be running an earlier version (say 1:9.5.1), which dpkg --compare-versions would still show as being more recent than the "fixed" version reported in the DSA.

Is it possible to include the epoch in the version number reported in the DSA, so it matches the actual version field of the Debian package which includes the fix? I presume this is simply a bug in the automated DSA issuing process...

Cheers,

Alex
--
Alex Page
Senior Systems Administrator, Systems & Technology Group Manchester Lab, IBM UK
Phone: +44 (0) 161 836 2300

---

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Hi,
ccing you, as I don't know if you're subscribed.
* Alex Page <alex.page@...> [2009-08-14 14:38]:
[...]
> Is it possible to include the epoch in the version number reported in the
> DSA, so it matches the actual version field of the Debian package which
> includes the fix? I presume this is simply a bug in the automated DSA
> issuing process...

I just checked the dak code that fills out the version in
the advisory. The problem with it is that dak uses the
version extracted from the file names and as the epoch is
just internally used but not in the file names it doesn't
know about the epoch at this point. This is also the reason
why the unstable version for DSA-1847-1 is correct, dak also
doesn't know about the unstable version, this version has
been filled in manually.

I currently see no way to fix this to be honest rather than
not using any of these versions automatically. I CCed Joerg
who maintains this dak code to my knowledge.

Joerg, is there any way dak could know about these version
numbers or can't it by design? If so, any idea why the
epochs are not included in the file names?

Cheers
Nico


--
Nico Golde - http://www.ngolde.de - nion@... - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

On Friday 14 August 2009 07:29:42 Alex Page wrote:
> Is it possible to include the epoch in the version number reported in the
> DSA, so it matches the actual version field of the Debian package which
> includes the fix? I presume this is simply a bug in the automated DSA
> issuing process...

If it helps any - I have run into this same problem, and I second this
motion :-)

        JW

--

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

* Alex Page:

> I'm having a bit of trouble with version numbers reported in DSAs. We keep
> our stable systems patched by updating against security.debian.org but
> have an external audit process, which compares the versions of installed
> packages with the versions reported as fixed in each DSA.

You should download the .dsc files and use the version number
contained therein.  This is what dsa2list does (a helper tool for the
security tracker).  This only gives you the source version, but you
can get that for an installed package from the dpkg status file.

The data generated for debsecan also includes epochs.  debsecan also
implements the comparison based on source versions.

(We use source versions for tracking because binary package versions
and names are architecture-specific.)


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On freed 14 Augustus 2009, Nico Golde wrote:
> Joerg, is there any way dak could know about these version
> numbers or can't it by design? If so, any idea why the
> epochs are not included in the file names?

Right, in my idea the root cause for this is that filenames do not have
epochs, and for consistency I would recommend solving that problem there.


Thijs