Hi Alexandre, On Sat, Sep 11, 2021 at 10:57:44AM +0200, Alexandre wrote: > Hi Debian security list, > > I have something I can't really figure out. Is ther eany reason I'm > missing why https://security-tracker.debian.org/tracker/CVE-2021-33574 > shows all versions of Debian vulnerable , while it seems to only > affect glibc 2.32 & 2.33 and all debian versions (but sid) use 2.31 at > most?
In short: Do not trust version ranges in CVE descriptions. For an explanation why this affects older releases as well see the upstream issue https://sourceware.org/bugzilla/show_bug.cgi?id=27896 Furthermore it can be the case that affected versions were not yet triaged on Debian's side. Hope this helps, Regards, Salvatore