Re: incorrect version number on security-tracker.debian.org
On Wed, 2 Nov 2022 at 20:41, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Wed, 2022-11-02 at 18:36 +0000, RL wrote:
> > I think the data on security-tracker.debian.org may be incomplete.
> >
> >
> > For example the following links suggest that grub had a vulnerability
> > that was fixed in: 2.06-3~deb11u1 but bullseye has 2.06-3~deb11u2
> > (ending in u2 not u1)
> >
>
> bullseye *doesn't* have deb11u2 yet. It's in proposed-updates and
> stable-updates, but stable still has deb11u1 until the next point
> release.
aha, thank-you.
is there a possibility that
https://security-tracker.debian.org/tracker/CVE-2021-3695 could learn
to list 'bullseye-updates' with deb11u2 listed as 'fixed'?
and that this info could propogate into debsecan
(i see it also affects
https://security-tracker.debian.org/tracker/CVE-2021-33574 where
2.31-13+deb11u5 is installed but the tracker, and therefore (I assume)
debsecan only knows that u4 is fixed - or am i just doing something
stupid by installing anything from proposed-updates ?)
Reply to: