Re: CVE Applicability Inquiry
Hi Griffin,
This is the user mailing list and might not be the best forum for this
type of question. That said, according to the Debian package search[0],
bullseye has golang-1.15, while the two CVEs you reference are noted as
affecting golang-1.17 and golang-1.18. So, to answer your question, if
a particular suite is not present in the entry for a CVE, then that
means that security team has not assessed it as affecting any package in
that suite. You can view information about the open and resolved CVEs
associated with golang-1.15 in the security tracker as well [1].
Regards,
-Roberto
[0] https://packages.debian.org/search?suite=bullseye&searchon=sourcenames&keywords=golang-1
[1] https://security-tracker.debian.org/tracker/source-package/golang-1.15
On Thu, Jul 07, 2022 at 07:17:18PM +0000, Griffin Weikel wrote:
> Good Afternoon,
>
>
>
> Following-up to confirm the information below. Please advise if able.
>
>
>
> Thank you,
>
> Griffin
>
>
>
> Griffin Weikel
>
> Security Risk Engineering Manager
>
> M: (443) 745-4594
>
>
>
> [1]servicenow.com
>
> [2]LinkedIn | [3]Twitter | [4]YouTube | [5]Facebook
>
>
>
>
>
> From: Griffin Weikel <griffin.weikel@servicenow.com>
> Date: Wednesday, June 29, 2022 at 2:30 PM
> To: debian-user@lists.debian.org <debian-user@lists.debian.org>
> Cc: Tim Nelson <tim.nelson@servicenow.com>, Christopher Engel
> <christopher.engel@servicenow.com>
> Subject: CVE Applicability Inquiry
>
> Good Afternoon,
>
>
>
> I’m writing to inquire about the applicability of a couple CVEs to the
> Bullseye release. The two CVEs below are popping in our Prisma scans as
> vulnerable, however I noticed on the Debian site that Bullseye isn’t
> listed. This seemed to deviate from the majority of CVEs we’re reviewing.
> Are you able to confirm that if a CVE page doesn’t list a release in the
> tracker that we’re to assume the release isn’t vulnerable?
>
>
>
> [6]https://security-tracker.debian.org/tracker/CVE-2022-24675
>
> [7]https://security-tracker.debian.org/tracker/CVE-2022-28327
>
>
>
> Also, confirming my email subscription via CONFIRM s2022062918105226032.
>
>
>
> Thank you,
>
> Griffin
>
>
>
> Griffin Weikel
>
> Security Risk Engineering Manager
>
> M: (443) 745-4594
>
>
>
> [8]servicenow.com
>
> [9]LinkedIn | [10]Twitter | [11]YouTube | [12]Facebook
>
>
>
> References
>
> Visible links
> 1. https://www.servicenow.com/
> 2. https://www.linkedin.com/company/servicenow
> 3. https://twitter.com/servicenow
> 4. https://www.youtube.com/user/servicenowinc
> 5. https://www.facebook.com/servicenow
> 6. https://security-tracker.debian.org/tracker/CVE-2022-24675
> 7. https://security-tracker.debian.org/tracker/CVE-2022-28327
> 8. https://www.servicenow.com/
> 9. https://www.linkedin.com/company/servicenow
> 10. https://twitter.com/servicenow
> 11. https://www.youtube.com/user/servicenowinc
> 12. https://www.facebook.com/servicenow
--
Roberto C. Sánchez
Reply to: