[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bullseye (security) represents old version on security-tracker.d.o

Hi Kentaro,

> I've found a bit strange status about some tracked issue
> on security-tracker.debian.org.
> 
> 1. CVE-2023-36054 krb5
> https://security-tracker.debian.org/tracker/CVE-2023-36054
> 
> it shows like:
> 
>   bullseye 1.18.3-6+deb11u4 fixed
>   bullseye (security) 1.18.3-6+deb11u3 vulnerable
> 
> you may doubt whether it was not fixed yet because of "vulnerable" label.

This is expected and correct:
CVE-2023-36054 didn't get fixed via a DSA through security.debian.org, but
instead it was included in the latest Bookworm point release:
https://tracker.debian.org/news/1454490/accepted-krb5-1183-6deb11u4-source-into-oldstable-proposed-updates/

As such, the version found on security.debian.org (1.18.3-6+deb11u3), which was fixed
via security.debian.org _is_ still affected by CVE-2023-36054:
https://tracker.debian.org/news/1386152/accepted-krb5-1183-6deb11u3-source-into-stable-security/

But it doesn't matter since the 1.18.3-6+deb11u4 fix from the point release
supercedes it.

> There is a similar thing for openssl

Same as above.

Cheers,
        Moritz
Reply to: