On Thu, 13 May 2021 12:02:53 +0300 Guy Hudara <guy.hudara@whitesourcesoftware.com> wrote: > Hi Neil. > > Not sure I understand your answer. Let's take an example: This is not the place to go into any further detail of the structure of the Debian archive or how packages find their way into releases. There is plenty of documentation on that on the Debian website and Wiki. > In the JSON I see the following section: > > "389-ds-base": { > "CVE-2012-0833": { > "scope": "local", > "releases": { > "bullseye": { > "status": > " resolved", > "repositories": { > "bullseye": "1.4.4.11-1" > }, > > "fixed_version": "0", > "urgency": > "unimportant" > }, > "buster": { > "status": > "resolved", > "repositories": { > "buster": "1.4.0.21-1" > }, > "fixed_version": "0", > "urgency": > "unimportant" > }, > > "sid": { > > "status": > "resolved", > "repositories": { > "sid": "1.4.4.11-1" > }, > "fixed_version": "0", > "urgency": > "unimportant" > }, > "stretch": { > "status": > "resolved", > "repositories": { > "stretch": "1.3.5.17-2" > }, > "fixed_version": "0", > "urgency": > "unimportant" > } > } > }, > > > > > So, I understand that package *389-ds-base* version *1.4.4.11-1* in > *bullseye* is fixed with respect to *CVE-2012-0833.* Correct? > > Now I look at all other versions of this package in the following url: > http://ftp.debian.org/debian/pool/main/3/389-ds-base/ That URL contains all versions of all packages in main for all releases. > > I see the following versions: > > - 1.4.0.21-1 > - 1.3.5.17-2 > - 1.3.3.5-4 > > > > 1. Are they vulnerable with respect to *CVE-2012-0833* in > *bullseye?* Only version 1.4.4.11-1 exists in bullseye - as specified in the JSON above. The same version can exist in multiple releases but any one release only has one of the existent versions. The other versions are in other releases and are listed in the JSON for those releases. Any one release only ever has one version of a specific package. 2. What if the status was “vulnerable”? what can I say > about those versions in this case? Exactly as the JSON states - but only for the relevant releases. 1.4.0.21-1 is only in buster - that tells you nothing about stretch. "stretch" has only "1.3.5.17-2" - that tells you nothing about sid or bullseye. If you have further questions, please ask on the debian-user mailing list. This is now completely off-topic for this list. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgpGP_0Grzb0w.pgp
Description: OpenPGP digital signature