I've noticed a mismatch between security advisories displayed by equo and glsa-check and moreover, equo security advisor seems to not detect a package updated with emerge.
1. I had libvorbis-1.2.0 installed (the version included on Sabayon 3.5 DVD).
2. libvorbis < 1.2.1_rc1 was listed as vulnerable by both glsa-check and equo security list
3. there was no update available in entropy repo, so I emerged fresh libvorbis-1.2.1_rc1 with 'emerge libvorbis'.
4. I've now a fresh libvorbis and refreshed equo security advisories list, but equo still lists my libvorbis as affected, i.e.
- Code: Select all
# equery list -i libvorbis
[ Searching for package 'libvorbis' in all categories among: ]
* installed packages
[I--] [ ] media-libs/libvorbis-1.2.1_rc1 (0)
# equo security update
# equo security list --affected | grep vorbis
>> [GLSA:200806-09:A][<1.2.1_rc1] media-libs/libvorbis: libvorbis: Multiple vulnerabilities
# glsa-check -l|grep -i 200806-09
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.
200806-09 [U] libvorbis: Multiple vulnerabilities ( media-libs/libvorbis )
So, I have libvorbis-1.2.0_rc1 but equo security still lists is as affected, while glsa-check doesn't complain. Is this a bug or am I missing something?