Hi Jasper, On Fri, Mar 22, 2019 at 10:19:37AM +0000, Jasper Hafkenscheid wrote: > When using debsecan on a fully updated stretch machine I get a whole list > of CVEs. The kernel package is the latest from stretch-updates/main, but > that is not matched in the security-tracker output. > The 4.9.144-3.1 version is not mentioned on > https://security-tracker.debian.org/tracker/source-package/linux, should it > be?
This is simply because debsecan nor security-tracker handles the *-updates. Once the point release happens the issue resolved. Futhermore when a package is only yet in stable-updates it is technically not yet accepted in stable. We have bug for that as https://bugs.debian.org/823664 > It is also odd that the 'stretch (security)' version is so behind the > normal stretch version (4.9.110-3+deb9u6 vs 4.9.144-3). This is not really a problem. The last update which entered the security archive was 4.9.110-3+deb9u6, so that is the version present in the security-archive itself. Later there were 4.9 stable updates which were included in point releases, meaning that one superseeds the one in the security-archive. So this can indeed happend (not only for the linux package actually) that there will be a newer version which entered stable in a point release superseeding a security upload. Hope this explains, Salvatore
