I'm researching the Debian's security feed and I have a couple of questions about the meaning of some of the keys included on the JSON feed. Below are the keys in question.
- repositories key: I think this is a reference to the last version of the package, although I'm not sure. Example below, from vnc4 package:
"CVE-2009-3560": {"description": "The big2_toUtf8 function..."debianbug": 560901,"scope": "local","releases": {"buster": {"status": "resolved","repositories": {"buster": "4.1.1+X4.3.0+t-1"},"fixed_version": "0","urgency": "unimportant"}}}
- fixed_version key: Its name is quite obvious but, there is a (very common) special case where fixed_version equals "0". According to a little research I've made, this could be related to the fact that the CVE is not affecting the current release of the OS. Example below, from gauche package:
"CVE-2005-4443": {
"description": "Untrusted search path vulnerability ...
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "0.9.10-3"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "0.9.6-10"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "0.9.10-3"
},
"fixed_version": "0",
"urgency": "unimportant"
}
}
}
I would love this to be clarified, so any help would be appreciated.
Thanks in advance!
| Tomas Sarquis |
| Software Engineer |
| +54 351 741 1244 |
| The Open Source Security Platform |