Hi Neil. Thank you very much for your quick response.
I have a follow-up question: - Not necessarily. The vulnerability may have been introduced in a recent version of the package - the vulnerable code may simply not exist in older versions. Maybe the functionality is new or the methodology was modified. GuyH: So, is there any way to know what versions are actually vulnerable with respect to a given CVE? If the vulnerability was fixed in version X, I guess that version X-1 is vulnerable, but when this vulnerability was introduced? What about version X-2?, or X-3?. This question is relevant for all 3 statuses. -- Thanks, H Guy -----Original Message----- From: Neil Williams <[email protected]> Sent: Wednesday, 12 May 2021 16:54 To: Guy Hudara <[email protected]> Cc: [email protected]; Adi Rashkes < [email protected]> Subject: Re: Few questions about the security tracker On Wed, 12 May 2021 14:57:16 +0300 Guy Hudara <[email protected]> wrote: > Hi, > > My name is Guy Hudara, and I am working at Whitesource. Hi, this page may be helpful: https://www.debian.org/security/faq > I have a few questions about the JSON feed of the security tracker > given in this URL: > https://security-tracker.debian.org/tracker/data/json > > 1. About the “status” field: > 1. If it is “*open*” on a given version, does this mean that all > previous versions of that package are also vulnerable with > respect to the CVE? Not necessarily. The vulnerability may have been introduced in a recent version of the package - the vulnerable code may simply not exist in older versions. Maybe the functionality is new or the methodology was modified. > 2. If it is “*resolved*”, does this mean that all previous > versions of that package are vulnerable with respect to the CVE? Not necessarily, as above. The issue might not have ever existed in versions older than the version in which the issue was found. > 3. What does it mean the a version is “*undetermined*” ? This question is covered on the website: https://security-team.debian.org/security_tracker.html#undetermined-tags (From the "Reporting discrepancies page that links to this list, the security-team site can be found from the "instruction" link.) In the JSON, it is the status which shows "undetermined" rather than a version. e.g. "releases":{"bullseye":{"status":"undetermined","repositories":{"bullseye":"2.10.7+merged+base+2.10.8+dfsg-1"} Undetermined is used when the issue is in need of triage. On the main security tracker page, these packages are listed at: https://security-tracker.debian.org/tracker/status/undetermined "This page lists packages that may or may not be affected by known issues. This means that some additional work needs to be done to determined whether the package is actually vulnerable or not. This list is a good area for new contributors to make quick and meaningful contributions." > 2. About the “repositories”. In the below example: what is the > different between the “*stretch*” repository and the > “*stretch-security*” repository? This answer may be helpful: https://www.debian.org/security/faq#ppu stretch-security exists to get fixes to users of stretch quickly. Other updates to stretch are collected up into a new point release on a longer time frame. Each time stretch gets a point release, those updated packages with security fixes get included. So a security fix will first appear in stretch-security before later appearing in stretch when a stretch point release is made. Additional benefit is that new users of stretch will get the security fixes in the original download of the installer for that point release, without a need to run a separate update after the install. https://wiki.debian.org/DebianReleases/PointReleases > > > > "stretch": { > > "status": "resolved", > > "repositories": { > > "stretch": "7.1.0+dfsg-13+deb9u3", > > "stretch-security": > "7.1.0+dfsg-13+deb9u3" > > }, > > "fixed_version": "0.4e-21", > > "urgency": "not yet assigned" > > } > > > > > > > > -- > > *Thanks,* > > *H Guy*
