On Mon, Mar 21, 2022 at 12:33:46PM +0000, Zuzej, Kerstin wrote: > Dear Debian Team, > > via the security-tracker Debian provides information about the vulnerable and > fixed package versions. > However, I wanted to ask if the named vulnerable version is the version where > the vulnerability was first identified or if it is the lowest number of a > vulnerable package.
It shows the vulnerability status of the latest packages currently available in a supported Debian suite. > Example: > https://security-tracker.debian.org/tracker/CVE-2022-0330 > buster > > 4.19.208-1 > > vulnerable > > fixed in 4.19.232-1 > > Is the vulnerability from >= 4.19.208-1 and < 4.19.232-1 > Or is every version lower then the fixed version vulnerable (< 4.19.232-1) >... This distinction is irrelevant for what is supported by Debian, and therefore not tracked in the Debian security tracker. > Kind regards. > Kerstin Zuzej cu Adrian
