On Wed, 12 May 2021 14:57:16 +0300
Guy Hudara <guy.hudara@whitesourcesoftware.com> wrote:
> Hi,
>
> My name is Guy Hudara, and I am working at Whitesource.
Hi, this page may be helpful: https://www.debian.org/security/faq
> I have a few questions about the JSON feed of the security tracker
> given in this URL:
> https://security-tracker.debian.org/tracker/data/json
>
> 1. About the “status” field:
> 1. If it is “*open*” on a given version, does this mean that all
> previous versions of that package are also vulnerable with
> respect to the CVE?
Not necessarily. The vulnerability may have been introduced in a recent
version of the package - the vulnerable code may simply not exist in
older versions. Maybe the functionality is new or the methodology was
modified.
> 2. If it is “*resolved*”, does this mean that all previous
> versions of that package are vulnerable with respect to the CVE?
Not necessarily, as above. The issue might not have ever existed in
versions older than the version in which the issue was found.
> 3. What does it mean the a version is “*undetermined*” ?
This question is covered on the website:
https://security-team.debian.org/security_tracker.html#undetermined-tags
(From the "Reporting discrepancies page that links to this list, the
security-team site can be found from the "instruction" link.)
In the JSON, it is the status which shows "undetermined" rather than a
version. e.g.
"releases":{"bullseye":{"status":"undetermined","repositories":{"bullseye":"2.10.7+merged+base+2.10.8+dfsg-1"}
Undetermined is used when the issue is in need of triage.
On the main security tracker page, these packages are listed at:
https://security-tracker.debian.org/tracker/status/undetermined
"This page lists packages that may or may not be affected by known
issues. This means that some additional work needs to be done to
determined whether the package is actually vulnerable or not. This list
is a good area for new contributors to make quick and meaningful
contributions."
> 2. About the “repositories”. In the below example: what is the
> different between the “*stretch*” repository and the
> “*stretch-security*” repository?
This answer may be helpful:
https://www.debian.org/security/faq#ppu
stretch-security exists to get fixes to users of stretch quickly. Other
updates to stretch are collected up into a new point release on a
longer time frame. Each time stretch gets a point release, those
updated packages with security fixes get included. So a security fix
will first appear in stretch-security before later appearing in stretch
when a stretch point release is made. Additional benefit is that new
users of stretch will get the security fixes in the original download
of the installer for that point release, without a need to run a
separate update after the install.
https://wiki.debian.org/DebianReleases/PointReleases
>
>
>
> "stretch": {
>
> "status": "resolved",
>
> "repositories": {
>
> "stretch": "7.1.0+dfsg-13+deb9u3",
>
> "stretch-security":
> "7.1.0+dfsg-13+deb9u3"
>
> },
>
> "fixed_version": "0.4e-21",
>
> "urgency": "not yet assigned"
>
> }
>
>
>
>
>
>
>
> --
>
> *Thanks,*
>
> *H Guy*
Attachment:
pgpKBS6PR9MCZ.pgp
Description: OpenPGP digital signature