RE: Few questions about the security tracker

Hi Neil.

Not sure I understand your answer. Let's take an example:

In the JSON I see the following section:

"389-ds-base": {

"CVE-2012-0833": {

"description": "The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.",

"scope": "local",

"releases": {

"bullseye": {

"status": "resolved",

"repositories": {

"bullseye": "1.4.4.11-1"

"fixed_version": "0",

"urgency": "unimportant"

"buster": {

"status": "resolved",

"repositories": {

"buster": "1.4.0.21-1"

"fixed_version": "0",

"urgency": "unimportant"

"sid": {

"status": "resolved",

"repositories": {

"sid": "1.4.4.11-1"

"fixed_version": "0",

"urgency": "unimportant"

"stretch": {

"status": "resolved",

"repositories": {

"stretch": "1.3.5.17-2"

"fixed_version": "0",

"urgency": "unimportant"

}

So, I understand that package 389-ds-base version 1.4.4.11-1 in bullseye is fixed with respect to CVE-2012-0833. Correct?

Now I look at all other versions of this package in the following url: http://ftp.debian.org/debian/pool/main/3/389-ds-base/

I see the following versions:

1.4.0.21-1
1.3.5.17-2
1.3.3.5-4

Are they vulnerable with respect to CVE-2012-0833 in bullseye?
What if the status was “vulnerable”? what can I say about those versions in this case?

Thanks,

H Guy

-----Original Message-----
From: Neil Williams <codehelp@debian.org>
Sent: Wednesday, 12 May 2021 18:59
To: Guy Hudara <guy.hudara@whitesourcesoftware.com>
Cc: debian-security-tracker@lists.debian.org; Adi Rashkes <adi.rashkes@whitesourcesoftware.com>
Subject: Re: Few questions about the security tracker

On Wed, 12 May 2021 17:08:25 +0300

Guy Hudara <guy.hudara@whitesourcesoftware.com> wrote:

> Hi Neil. Thank you very much for your quick response.

> I have a follow-up question:

> - Not necessarily. The vulnerability may have been introduced in a

> recent version of the package - the vulnerable code may simply not

> exist in older versions. Maybe the functionality is new or the

> methodology was modified.

> GuyH: So, is there any way to know what versions are actually

> vulnerable with respect to a given CVE? If the vulnerability was fixed

> in version X, I guess that version X-1 is vulnerable, but when this

> vulnerability was introduced? What about version X-2?, or X-3?.

> This question is relevant for all 3 statuses.

If that version is currently in Debian, it'll be listed in the JSON for the relevant source package, with the relevant status.

If that version is not currently in Debian, this is the wrong source of your data.

Neil Williams

=============

http://www.linux.codehelp.co.uk/