On Wed, 12 May 2021 17:08:25 +0300 Guy Hudara <guy.hudara@whitesourcesoftware.com> wrote: > Hi Neil. Thank you very much for your quick response. > > > > I have a follow-up question: > > > - Not necessarily. The vulnerability may have been introduced in a > recent version of the package - the vulnerable code may simply not > exist in older versions. Maybe the functionality is new or the > methodology was modified. > > GuyH: So, is there any way to know what versions are actually > vulnerable with respect to a given CVE? If the vulnerability was > fixed in version X, I guess that version X-1 is vulnerable, but when > this vulnerability was introduced? What about version X-2?, or X-3?. > This question is relevant for all 3 statuses. If that version is currently in Debian, it'll be listed in the JSON for the relevant source package, with the relevant status. If that version is not currently in Debian, this is the wrong source of your data. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgpWRZBDsSIRY.pgp
Description: OpenPGP digital signature