[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Few questions about the security tracker

On Thu, 13 May 2021 12:02:53 +0300
Guy Hudara <guy.hudara@whitesourcesoftware.com> wrote:

> Hi Neil.
> 
> Not sure I understand your answer. Let's take an example:

This is not the place to go into any further detail of the structure of
the Debian archive or how packages find their way into releases.

There is plenty of documentation on that on the Debian website and Wiki.

 
> In the JSON I see the following section:
> 
> "389-ds-base": {
>                 "CVE-2012-0833": {
>                                 "scope": "local",
>                                 "releases": {
>                                                 "bullseye": {
>                                                                 "status":
> " resolved",
> "repositories": {
> "bullseye": "1.4.4.11-1"
>                                                                 },
> 
> "fixed_version": "0",
>                                                                 "urgency":
> "unimportant"
>                                                 },
>                                                 "buster": {
>                                                                 "status":
> "resolved",
> "repositories": {
> "buster": "1.4.0.21-1"
>                                                                 },
> "fixed_version": "0",
>                                                                 "urgency":
> "unimportant"
>                                                 },
> 
>                                                 "sid": {
> 
>                                                                 "status":
> "resolved",
> "repositories": {
> "sid": "1.4.4.11-1"
>                                                                 },
> "fixed_version": "0",
>                                                                 "urgency":
> "unimportant"
>                                                 },
>                                                 "stretch": {
>                                                                 "status":
> "resolved",
> "repositories": {
> "stretch": "1.3.5.17-2"
>                                                                 },
> "fixed_version": "0",
>                                                                 "urgency":
> "unimportant"
>                                                 }
>                                 }
>                 },
> 
> 
> 
> 
> So, I understand that package *389-ds-base* version *1.4.4.11-1* in
> *bullseye* is fixed with respect to *CVE-2012-0833.* Correct?
> 
> Now I look at all other versions of this package in the following url:
> http://ftp.debian.org/debian/pool/main/3/389-ds-base/

That URL contains all versions of all packages in main for all releases.

> 
> I see the following versions:
> 
>    - 1.4.0.21-1
>    - 1.3.5.17-2
>    - 1.3.3.5-4
> 
> 
> 
>    1. Are they vulnerable with respect to *CVE-2012-0833* in
> *bullseye?* 

Only version 1.4.4.11-1 exists in bullseye - as specified in the JSON
above. The same version can exist in multiple releases but any one
release only has one of the existent versions.

The other versions are in other releases and are listed in the JSON for
those releases.

Any one release only ever has one version of a specific package.

2. What if the status was “vulnerable”? what can I say
> about those versions in this case?

Exactly as the JSON states - but only for the relevant releases.

1.4.0.21-1 is only in buster - that tells you nothing about stretch.
"stretch" has only "1.3.5.17-2" - that tells you nothing about sid or
bullseye.

If you have further questions, please ask on the debian-user mailing
list. This is now completely off-topic for this list.
 
-- 
 
Neil Williams
 
=============

http://www.linux.codehelp.co.uk/

Attachment: pgpGP_0Grzb0w.pgp
Description: OpenPGP digital signature

Reply to: