I am trying to analyze Debian OVAL sources to establish if some packages are vulnerable or not. I am using criteria to establish what is the vulnerable version of a package, however, there are often entries that say "the version is earlier than 0", p.
I assumed that this means that the package is still vulnerable, but I find some discrepancies with the security tracker.
For example, both CVE-1999-1580 and CVE-2019-1010022 are listed with a version less than zero in the Jessie OVAL feed, while one appears as "vulnerable" and the other as "fixed" for Jessie in the tracker. security.
How should they be handled? So vulnerable or not? If they must be handled as vulnerable, does that mean the feed is outdated compared to the tracker?