Potential False Positive for Ubuntu python2.7 vulnerability

The gb_ubuntu_USN_3817_1.nasl plugin claims that an Ubuntu 18.04 server with python2.7 version 2.7.15-4ubuntu4~18.04 is vulnerable and that 2.7.15~rc1-1ubuntu0.1 is the fixed version. But if I force the installation of the supposedly fixed version thus:

% sudo apt install python2.7=2.7.15~rc1-1ubuntu0.1 python2.7-minimal=2.7.15~rc1-1ubuntu0.1 libpython2.7=2.7.15~rc1-1ubuntu0.1 libpython2.7-minimal=2.7.15~rc1-1ubuntu0.1 libpython2.7-stdlib=2.7.15~rc1-1ubuntu0.1

apt complains, saying I am downgrading:

dpkg: warning: downgrading python2.7 from 2.7.15-4ubuntu4~18.04 to 2.7.15~rc1-1ubuntu0.1

Which is correct? I do note that 2.7.15-4ubuntu4~18.04 is dated much later than 2.7.15~rc1-1ubuntu0.1.



APT is correct. We’re currently working on fixing a bug in our enumeration parsing. I’ll suggest putting an override on the result for now and will report here later when the VT is fixed.

1 Like

As a quickfix lowered the QoD of this VT to 30%. This change is in the feed since yesterday noon.

1 Like