[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debsecan stretch updates ignored

Hi Jasper,

On Fri, Mar 22, 2019 at 10:19:37AM +0000, Jasper Hafkenscheid wrote:
> When using debsecan on a fully updated stretch machine I get a whole list
> of CVEs. The kernel package is the latest from stretch-updates/main, but
> that is not matched in the security-tracker output.
> The 4.9.144-3.1 version is not mentioned on
> https://security-tracker.debian.org/tracker/source-package/linux, should it
> be?

This is simply because debsecan nor security-tracker handles the
*-updates. Once the point release happens the issue resolved.
Futhermore when a package is only yet in stable-updates it is
technically not yet accepted in stable. We have  bug for that as
https://bugs.debian.org/823664

> It is also odd that the 'stretch (security)' version is so behind the
> normal stretch version (4.9.110-3+deb9u6 vs 4.9.144-3).

This is not really a problem. The last update which entered the
security archive was 4.9.110-3+deb9u6, so that is the version present
in the security-archive itself. Later there were 4.9 stable updates
which were included in point releases, meaning that one superseeds the
one in the security-archive. So this can indeed happend (not only for
the linux package actually) that there will be a newer version which
entered stable in a point release superseeding a security upload.

Hope this explains,
Salvatore
Reply to: