Hi Neil.
Not sure I understand your answer. Let's take an example:
In the JSON I see the following section:
"389-ds-base": {
"CVE-2012-0833": {
"description": "The
acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389
Directory Server before 1.2.10 does not properly handled access control
instructions (ACIs) that use certificate groups, which allows remote
authenticated LDAP users with a certificate group to cause a denial of
service (infinite loop and CPU consumption) by binding to the server.",
"scope": "local",
"releases": {
"bullseye": {
"status": "
resolved",
"repositories": {
"bullseye": "1.4.4.11-1"
},
"fixed_version": "0",
"urgency":
"unimportant"
},
"buster": {
"status":
"resolved",
"repositories": {
"buster": "1.4.0.21-1"
},
"fixed_version": "0",
"urgency":
"unimportant"
},
"sid": {
"status":
"resolved",
"repositories": {
"sid": "1.4.4.11-1"
},
"fixed_version": "0",
"urgency":
"unimportant"
},
"stretch": {
"status":
"resolved",
"repositories": {
"stretch": "1.3.5.17-2"
},
"fixed_version": "0",
"urgency":
"unimportant"
}
}
},
So, I understand that package *389-ds-base* version *1.4.4.11-1* in
*bullseye* is fixed with respect to *CVE-2012-0833.* Correct?
Now I look at all other versions of this package in the following url:
http://ftp.debian.org/debian/pool/main/3/389-ds-base/
I see the following versions:
- 1.4.0.21-1
- 1.3.5.17-2
- 1.3.3.5-4
1. Are they vulnerable with respect to *CVE-2012-0833* in *bullseye?*
2. What if the status was “vulnerable”? what can I say about those
versions in this case?
--
Thanks,
H Guy
-----Original Message-----
From: Neil Williams <[email protected]>
Sent: Wednesday, 12 May 2021 18:59
To: Guy Hudara <[email protected]>
Cc: [email protected]; Adi Rashkes <
[email protected]>
Subject: Re: Few questions about the security tracker
On Wed, 12 May 2021 17:08:25 +0300
Guy Hudara <[email protected]> wrote:
> Hi Neil. Thank you very much for your quick response.
>
>
>
> I have a follow-up question:
>
>
> - Not necessarily. The vulnerability may have been introduced in a
> recent version of the package - the vulnerable code may simply not
> exist in older versions. Maybe the functionality is new or the
> methodology was modified.
>
> GuyH: So, is there any way to know what versions are actually
> vulnerable with respect to a given CVE? If the vulnerability was fixed
> in version X, I guess that version X-1 is vulnerable, but when this
> vulnerability was introduced? What about version X-2?, or X-3?.
> This question is relevant for all 3 statuses.
If that version is currently in Debian, it'll be listed in the JSON for the
relevant source package, with the relevant status.
If that version is not currently in Debian, this is the wrong source of
your data.
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
