Hi. Please do not top post.
On Tue, Sep 15, 2020 at 09:13:04AM +0000, Suryadevara, Revanth wrote: > Hi Klaus, > > 1.) Pertaining to Nginx there is no CVE-ID, main concern is, > According to nginx download page, (http://nginx.org/en/download.html) > Nginx 1.14.x is no longer supported and will not be getting regular > patches. So, if any security Vulnerabilities arise then system would > be at high risk as the vendor no longer provide updates. No known CVE = no problem. Unless of course you just happen to know a private zero-day. And, as the version of nginx shows, they've fixed some CVEs in past, trice for the duration of buster. > 2.) Pertaining to GNOME Evolution , the CVE-ID is CVE-2020-11879 . > This ID isn't present in the links which you've shared. Buster's evolution is vulnerable indeed - [1]. Security impact is low, so it's hardly a surprise it is not fixed yet. Reco [1] https://security-tracker.debian.org/tracker/source-package/evolution