Potential False Positive for Ubuntu python2.7 vulnerability

Karl · July 1, 2019, 8:00pm

The gb_ubuntu_USN_3817_1.nasl plugin claims that an Ubuntu 18.04 server with python2.7 version 2.7.15-4ubuntu4~18.04 is vulnerable and that 2.7.15~rc1-1ubuntu0.1 is the fixed version. But if I force the installation of the supposedly fixed version thus:

% sudo apt install python2.7=2.7.15~rc1-1ubuntu0.1 python2.7-minimal=2.7.15~rc1-1ubuntu0.1 libpython2.7=2.7.15~rc1-1ubuntu0.1 libpython2.7-minimal=2.7.15~rc1-1ubuntu0.1 libpython2.7-stdlib=2.7.15~rc1-1ubuntu0.1

apt complains, saying I am downgrading:

dpkg: warning: downgrading python2.7 from 2.7.15-4ubuntu4~18.04 to 2.7.15~rc1-1ubuntu0.1

Which is correct? I do note that 2.7.15-4ubuntu4~18.04 is dated much later than 2.7.15~rc1-1ubuntu0.1.

Thanks,

Karl

Tino · July 2, 2019, 1:26pm

APT is correct. We’re currently working on fixing a bug in our enumeration parsing. I’ll suggest putting an override on the result for now and will report here later when the VT is fixed.

Tino · July 4, 2019, 9:44am

As a quickfix lowered the QoD of this VT to 30%. This change is in the feed since yesterday noon.