Hello to Debian's security team.
I'm researching the
Debian's security feed and I have a couple of questions about the meaning of some of the keys included on the JSON feed. Below are the keys in question.
- repositories key: I think this is a reference to the last version of the package, although I'm not sure. Example below, from vnc4 package:
"description": "The big2_toUtf8 function...
"buster": "4.1.1+X4.3.0+t-1"
- fixed_version key: Its name is quite obvious but, there is a (very common) special case where fixed_version equals "0". According to a little research I've made, this could be related to the fact that the CVE is not affecting the current release of the OS. Example below, from gauche package:
"CVE-2005-4443": {
"description": "Untrusted search path vulnerability ...
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "0.9.10-3"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "0.9.6-10"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "0.9.10-3"
},
"fixed_version": "0",
"urgency": "unimportant"
}
}
}
I would love this to be clarified, so any help would be appreciated.
Thanks in advance!
--