Questions about SecurityFocus vulnerability Repository

[François Gagnon <fgagnon () sce carleton ca>]

Hi,

I have a few questions about how to interpret the vulnerability 
information on SecurityFocus.

1) For BID 30140 we have:
"Sun SDK (Linux Production Release) 1.3.1 _22" is listed as both 
vulnerable and non-vulnerable
"Sun JRE (Linux Production Release) 1.4.2" is listed 5 times as vulnerable
What is the meaning of that, or are they just glitches in the data ?

2) What is the meaning of the ± listing ?
For instance, on DIB 10078 "Jarle Aase War FTPD 1.67 b05" is listed as 
non-vulnerable with the - tags
  - Microsoft Windows 2000 Professional
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows NT 4.0
What does that mean ?

3) (related to question 2)
For BID 3786, "Apache Software Foundation Apache 1.3.20" is listed as 
both vulnerable and non-vulnerable, but with different ± listings. What 
does that mean ?

4) Is there a document describing how to interpret the content of the 
BID on security focus ?

Thanks a lot !

--
François Gagnon Ph.D. Student
Network Management and
Artificial Intelligence Laboratory
Carleton University


www.sce.carleton.ca/~fgagnon