Re: Debsecan stretch updates ignored
Hi Jasper,
On Fri, Mar 22, 2019 at 10:19:37AM +0000, Jasper Hafkenscheid wrote:
> When using debsecan on a fully updated stretch machine I get a whole list
> of CVEs. The kernel package is the latest from stretch-updates/main, but
> that is not matched in the security-tracker output.
> The 4.9.144-3.1 version is not mentioned on
> https://security-tracker.debian.org/tracker/source-package/linux, should it
> be?
This is simply because debsecan nor security-tracker handles the
*-updates. Once the point release happens the issue resolved.
Futhermore when a package is only yet in stable-updates it is
technically not yet accepted in stable. We have bug for that as
https://bugs.debian.org/823664
> It is also odd that the 'stretch (security)' version is so behind the
> normal stretch version (4.9.110-3+deb9u6 vs 4.9.144-3).
This is not really a problem. The last update which entered the
security archive was 4.9.110-3+deb9u6, so that is the version present
in the security-archive itself. Later there were 4.9 stable updates
which were included in point releases, meaning that one superseeds the
one in the security-archive. So this can indeed happend (not only for
the linux package actually) that there will be a newer version which
entered stable in a point release superseeding a security upload.
Hope this explains,
Salvatore
Reply to: