Re: clarification on status of CVE-2021-33574
Hi Alexandre,
On Sat, Sep 11, 2021 at 10:57:44AM +0200, Alexandre wrote:
> Hi Debian security list,
>
> I have something I can't really figure out. Is ther eany reason I'm
> missing why https://security-tracker.debian.org/tracker/CVE-2021-33574
> shows all versions of Debian vulnerable , while it seems to only
> affect glibc 2.32 & 2.33 and all debian versions (but sid) use 2.31 at
> most?
In short: Do not trust version ranges in CVE descriptions.
For an explanation why this affects older releases as well see the
upstream issue https://sourceware.org/bugzilla/show_bug.cgi?id=27896
Furthermore it can be the case that affected versions were not yet
triaged on Debian's side.
Hope this helps,
Regards,
Salvatore
Reply to: