Our systems currently run PHP 7.1 on Debian Jessie, using packages from the semi-official third-party repository at deb.sury.org. Running an authenticated scan on this host is giving numerous failures relating to the
Vulnerable package: php-pear
Installed version: 1.10.8+submodules+notgz-1+0~20190219091008.9+jessi
Fixed version: 5.6.39+dfsg-0+deb8u1
This check tests the installed software version using the apt package manager.
Details: Debian LTS Advisory ([SECURITY] [DLA 1608-1] php5 security update) OID: 18.104.22.168.4.1.25622.214.171.1241608 Version used: 2019-03-18T14:53:48Z
Looking at the Detection Result section suggests the check is comparing the package version numbers incorrectly. The package from
deb.sury.org uses an “epoch” version, meaning that the version from the sury.org repository is newer than the one mentioned in the security update (epoch-less version numbers have an implicit epoch of zero).
Perhaps not the most important thing to fix since Jessie LTS will be EOL in June next year and this is a third-party repository, but I thought I’d mention it in case this is a generic issue with version number checking on Debian-based systems (and I think maybe RPM uses epochs too?) that might need fixing.