Re: bullseye (security) represents old version on security-tracker.d.o
Hi Kentaro,
> I've found a bit strange status about some tracked issue
> on security-tracker.debian.org.
>
> 1. CVE-2023-36054 krb5
> https://security-tracker.debian.org/tracker/CVE-2023-36054
>
> it shows like:
>
> bullseye 1.18.3-6+deb11u4 fixed
> bullseye (security) 1.18.3-6+deb11u3 vulnerable
>
> you may doubt whether it was not fixed yet because of "vulnerable" label.
This is expected and correct:
CVE-2023-36054 didn't get fixed via a DSA through security.debian.org, but
instead it was included in the latest Bookworm point release:
https://tracker.debian.org/news/1454490/accepted-krb5-1183-6deb11u4-source-into-oldstable-proposed-updates/
As such, the version found on security.debian.org (1.18.3-6+deb11u3), which was fixed
via security.debian.org _is_ still affected by CVE-2023-36054:
https://tracker.debian.org/news/1386152/accepted-krb5-1183-6deb11u3-source-into-stable-security/
But it doesn't matter since the 1.18.3-6+deb11u4 fix from the point release
supercedes it.
> There is a similar thing for openssl
Same as above.
Cheers,
Moritz
Reply to: