Re: CVE Applicability Inquiry

To: debian-user@lists.debian.org
Subject: Re: CVE Applicability Inquiry
From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
Date: Wed, 29 Jun 2022 17:00:56 -0300
Message-id: <[🔎] 4c0d86b9-8739-6b2b-3cc3-dd27553bd1f7@kalinowski.com.br>
In-reply-to: <[🔎] DM4PR08MB8248BD577250C6C722457C23F2BB9@DM4PR08MB8248.namprd08.prod.outlook.com>
References: <[🔎] DM4PR08MB8248BD577250C6C722457C23F2BB9@DM4PR08MB8248.namprd08.prod.outlook.com>

On 29/06/2022 15:30, Griffin Weikel wrote:

Good Afternoon,
I’m writing to inquire about the applicability of a couple CVEs to theBullseye release. The two CVEs below are popping in our Prisma scans asvulnerable, however I noticed on the Debian site that Bullseye isn’tlisted. This seemed to deviate from the majority of CVEs we’rereviewing. Are you able to confirm that if a CVE page doesn’t list arelease in the tracker that we’re to assume the release isn’t vulnerable?
https://security-tracker.debian.org/tracker/CVE-2022-24675https://security-tracker.debian.org/tracker/CVE-2022-28327

If you search for the golang packages(https://packages.debian.org/search?keywords=golang-1.17 , and also for-1.18) you'll see that they weren't included in bullseye. (Only asbackports, but these aren't included in the regular security support.)




--
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

Reply to:

References:
- CVE Applicability Inquiry
  - From: Griffin Weikel <griffin.weikel@servicenow.com>

Prev by Date: CVE Applicability Inquiry
Next by Date: Re: stopping job before shutdown.
Previous by thread: CVE Applicability Inquiry
Next by thread: problems with cbl.abuseat.org
Index(es):
- Date
- Thread