Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote:
> https://security-tracker.debian.org/tracker/status/release/stable
>
> shows the list of packages currently considered vulnerable, but it does not show the severity.
>
> For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL severity but the Debian security tracker simply says "not assigned" (No dev so much as bothered to click on the 'NVD' link?)
>
> Merry Christmas!
>
> --
> Sent with https://mailfence.com
> Secure and private email
>
Hi Maxwillb
If you click through any one of the CVE links, you find a link to a
specific bug. That link also links to the bugs reported by other
distributions, the Debian bug number and the NVD score - all the info
you may need.
The "not yet assigned" may be that the Debian Security Team haven't assigned it
a DSA number or decided on how severe it is "to Debian".
Taking the first one - first bug for aom - there's an assessment of which
releases are vulnerable. There's a fixed release in testing.
It links to various other bugs in Chromium.
The next two CVEs for aom are also linked to the first bug and fixes
backported to stable by the maintainer. It's not as if people are massively
dropping the ball here, in spite of your apprehension.
Hope this helps,and with very best regards as ever.
Andy Cater
Reply to: