Hi Kentaro, > I've found a bit strange status about some tracked issue > on security-tracker.debian.org. > > 1. CVE-2023-36054 krb5 > https://security-tracker.debian.org/tracker/CVE-2023-36054 > > it shows like: > > bullseye 1.18.3-6+deb11u4 fixed > bullseye (security) 1.18.3-6+deb11u3 vulnerable > > you may doubt whether it was not fixed yet because of "vulnerable" label.
This is expected and correct: CVE-2023-36054 didn't get fixed via a DSA through security.debian.org, but instead it was included in the latest Bookworm point release: https://tracker.debian.org/news/1454490/accepted-krb5-1183-6deb11u4-source-into-oldstable-proposed-updates/ As such, the version found on security.debian.org (1.18.3-6+deb11u3), which was fixed via security.debian.org _is_ still affected by CVE-2023-36054: https://tracker.debian.org/news/1386152/accepted-krb5-1183-6deb11u3-source-into-stable-security/ But it doesn't matter since the 1.18.3-6+deb11u4 fix from the point release supercedes it. > There is a similar thing for openssl Same as above. Cheers, Moritz