Re: security tracker vulnerable versions

To: "Zuzej, Kerstin" <kerstin.zuzej@secunet.com>
Cc: "debian-project@lists.debian.org" <debian-project@lists.debian.org>
Subject: Re: security tracker vulnerable versions
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 21 Mar 2022 15:20:40 +0200
Message-id: <[🔎] 20220321132040.GA10822@localhost>
In-reply-to: <[🔎] 8d9ab269856344889b22217376d195fb@secunet.com>
References: <[🔎] 8d9ab269856344889b22217376d195fb@secunet.com>

On Mon, Mar 21, 2022 at 12:33:46PM +0000, Zuzej, Kerstin wrote:
> Dear Debian Team,
> 
> via the security-tracker Debian provides information about the vulnerable and fixed package versions.
> However, I wanted to ask if the named vulnerable version is the version where the vulnerability was first identified or if it is the lowest number of a vulnerable package.

It shows the vulnerability status of the latest packages currently 
available in a supported Debian suite.

> Example:
> https://security-tracker.debian.org/tracker/CVE-2022-0330
> buster
> 
> 4.19.208-1
> 
> vulnerable
> 
> fixed in 4.19.232-1
> 
> Is the vulnerability from >= 4.19.208-1 and < 4.19.232-1
> Or is every version lower then the fixed version vulnerable (< 4.19.232-1)
>...

This distinction is irrelevant for what is supported by Debian,
and therefore not tracked in the Debian security tracker.

> Kind regards.
> Kerstin Zuzej

cu
Adrian

Reply to:

References:
- security tracker vulnerable versions
  - From: "Zuzej, Kerstin" <kerstin.zuzej@secunet.com>

Prev by Date: security tracker vulnerable versions
Next by Date: InRelease is expired
Previous by thread: security tracker vulnerable versions
Next by thread: InRelease is expired
Index(es):
- Date
- Thread