Thanks for sending this PR.  I sent a similar note to tech-pkg, but it
seems to have been lost in the dust and I'd meant to send a PR too, but
never got around to it yet, not even with the constant daily reminders
I've been reading!  ;-)

[ On Thursday, August 29, 2002 at 15:49:09 (-0700), dogcow@babymeat.com wrote: ]
> Subject: pkg/18111: bind8 gives false positive of bind9 vulnerability from audit-packages
>
> Whether the "correct" fix is to rename bind-8 to bind8, etc or to have
> some syntax in the vulnerabilities file akin to "bind<9.2.1&&bind>9.0.0",
> I don't know.

I think the proper fix is to always ensure the basename of the package
is unique for packages like this which have major variants.  BIND-8 and
BIND-9 really are entirely different code bases -- they just happen
install some of the same filenames and have much the same purpose.

(Though the additional logical operators for the vulnerabilities list
might be useful too.)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>