Re: CVE applicability

To: debian-security@lists.debian.org
Subject: Re: CVE applicability
From: Thomas Hochstein <thh@thh.name>
Date: Wed, 19 Jun 2024 23:25:05 +0200
Message-id: <[🔎] 85j67j1189bafai2g6sdjs9f2nvl2dg2ie@scatha.ancalagon.de>
References: <CAJsJ3Ey6Ez+zoJxFFYDioin-zKyzUVwb9v51Bq4rcKPsS815Zg@mail.gmail.com> <[🔎] CAJsJ3Ey2B41So7J739-qQEzHKk2tMJLX7S5WSZqT1oP-fkJYQg@mail.gmail.com>

Arul Anand MM wrote:

> Advisory page on September 14
> https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390
> states the issue is fixed in 5.10.191-1

No, it doesn't.

It states the issue was fixed - for bullseye, i.e. oldstable - in
5.10.179-3 (lower table).

It also states that 5.10.191-1 was the current version in "bullseye
(security)", so that suite was not vulnerable.

> but the current version of advisory
> states "5.10.209-2" as the fixed version.

No, it doesn't. :-)

It still states the issue was fixed in 5.10.179-3 (lower table).

The current version in "bullseye (security)" is now 5.10.218-1, and in
"bullseye" it's 5.10.209-2, so neither suite is vulnerable.

The fixed version doesn't change. The current version in suites that still
get updates does, of course.

-thh

Reply to:

References:
- CVE applicability
  - From: Arul Anand MM <arulanandkk1@gmail.com>

Prev by Date: Re: CVE applicability
Next by Date: Bug#1074467: RM: snort/oldstable-security -- RoSRM; removed from oldstable
Previous by thread: Re: CVE applicability
Next by thread: Bug#1074467: RM: snort/oldstable-security -- RoSRM; removed from oldstable
Index(es):
- Date
- Thread