Clarification on Subpackage Mapping for CVE Fixes in Debian Linux Kernel

[Subhash <subhash@qualys.com>]

Dear Debian Kernel/Security Team,

I hope you're doing well. My name is Subhash, and I'm from the Qualys Security Research Team. I am examining the Debian security tracker entries (https://security-tracker.debian.org/tracker/CVE-xxxx-xxxx), which lists the Linux version as X.YY.ZZ-N as the fixed version. However, when reviewing the current source package listing at https://packages.debian.org/source/trixie/linux, I see the latest version is A.BB.CC-N, while various subpackages have mixed versions.  For Example-

The Debian security tracker entry (https://security-tracker.debian.org/tracker/CVE-2024-57976), which lists the Linux version as 6.12.37-1 as the fixed version. However, when reviewing the current source package listing at https://packages.debian.org/source/trixie/linux, I see the latest version is 6.12.48-1, while various subpackages have mixed versions like ata-modules-6.12.31-armmp-di, ata-modules-6.12.41+deb13-armmp-di, btrfs-modules-6.12.31-armmp-di, and xfs-modules-6.12.48-powerpc64le-di ..etc. I would like to request clarification on how fixed versions for Linux kernel CVEs map to binary subpackages in Debian. Specifically:

1. Could you please clarify how these subpackage versions relate to the fixed source version and which ones include the CVE fix?
2. When a fixed version is specified for the Linux source package, do all subsequent versions also include the fix by default?
3. How can we determine the exact set of binary subpackages (xfs-modules-6.12.31-s390x-di,xfs-modules-6.12.41+deb13-riscv64-di,ata-modules-6.12.48+deb13-powerpc64le-di..etc) built from a given fixed source version?
4. What is the authoritative data source to retrieve this subpackage list for a particular version?
5. How can we confirm which subpackages are affected by or include a specific CVE fix?

Thank you for your support.

Best regards,

Subhash

Qualys Security Research Team