Re: CVE Applicability Inquiry
On 29/06/2022 15:30, Griffin Weikel wrote:
Good Afternoon,
I’m writing to inquire about the applicability of a couple CVEs to the
Bullseye release. The two CVEs below are popping in our Prisma scans as
vulnerable, however I noticed on the Debian site that Bullseye isn’t
listed. This seemed to deviate from the majority of CVEs we’re
reviewing. Are you able to confirm that if a CVE page doesn’t list a
release in the tracker that we’re to assume the release isn’t vulnerable?
https://security-tracker.debian.org/tracker/CVE-2022-24675
https://security-tracker.debian.org/tracker/CVE-2022-28327
If you search for the golang packages
(https://packages.debian.org/search?keywords=golang-1.17 , and also for
-1.18) you'll see that they weren't included in bullseye. (Only as
backports, but these aren't included in the regular security support.)
--
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
Reply to: