Re: clarification on status of CVE-2021-33574

To: Alexandre <alxgomz@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: clarification on status of CVE-2021-33574
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 15 Sep 2021 08:00:33 +0200
Message-id: <[🔎] YUGMAcbK9Zl2W+CO@eldamar.lan>
Mail-followup-to: Alexandre <alxgomz@gmail.com>, debian-security@lists.debian.org
In-reply-to: <[🔎] CAFWc+t9+1s7gnbjUgaFy-dxs4KFz_J5PfNYZNJYo-T71snfG6w@mail.gmail.com>
References: <[🔎] CAFWc+t9+1s7gnbjUgaFy-dxs4KFz_J5PfNYZNJYo-T71snfG6w@mail.gmail.com>

Hi Alexandre,

On Sat, Sep 11, 2021 at 10:57:44AM +0200, Alexandre wrote:
> Hi Debian security list,
>
> I have something I can't really figure out. Is ther eany reason I'm
> missing why https://security-tracker.debian.org/tracker/CVE-2021-33574
> shows all versions of Debian vulnerable , while it seems to only
> affect glibc 2.32 & 2.33 and all debian versions (but sid) use 2.31 at
> most?

In short: Do not trust version ranges in CVE descriptions.

For an explanation why this affects older releases as well see the
upstream issue https://sourceware.org/bugzilla/show_bug.cgi?id=27896

Furthermore it can be the case that affected versions were not yet
triaged on Debian's side.

Hope this helps,

Regards,
Salvatore

Reply to:

References:
- clarification on status of CVE-2021-33574
  - From: Alexandre <alxgomz@gmail.com>

Prev by Date: clarification on status of CVE-2021-33574
Next by Date: Considering letting python-pip use vendored dependencies
Previous by thread: clarification on status of CVE-2021-33574
Next by thread: Considering letting python-pip use vendored dependencies
Index(es):
- Date
- Thread