[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bullseye (security) represents old version on security-tracker.d.o

Hi,

I've misunderstood the intent of that security-tracker.d.o
Your explanation make me understand.

Thanks!

2024年1月9日(火) 23:41 Moritz Muehlenhoff <jmm@inutil.org>:
>
> Hi Kentaro,
>
> > I've found a bit strange status about some tracked issue
> > on security-tracker.debian.org.
> >
> > 1. CVE-2023-36054 krb5
> > https://security-tracker.debian.org/tracker/CVE-2023-36054
> >
> > it shows like:
> >
> >   bullseye 1.18.3-6+deb11u4 fixed
> >   bullseye (security) 1.18.3-6+deb11u3 vulnerable
> >
> > you may doubt whether it was not fixed yet because of "vulnerable" label.
>
> This is expected and correct:
> CVE-2023-36054 didn't get fixed via a DSA through security.debian.org, but
> instead it was included in the latest Bookworm point release:
> https://tracker.debian.org/news/1454490/accepted-krb5-1183-6deb11u4-source-into-oldstable-proposed-updates/
>
> As such, the version found on security.debian.org (1.18.3-6+deb11u3), which was fixed
> via security.debian.org _is_ still affected by CVE-2023-36054:
> https://tracker.debian.org/news/1386152/accepted-krb5-1183-6deb11u3-source-into-stable-security/
>
> But it doesn't matter since the 1.18.3-6+deb11u4 fix from the point release
> supercedes it.
>
> > There is a similar thing for openssl

-- 
Kentaro Hayashi <kenhys@gmail.com>
Reply to: