On Wed, 2 Nov 2022 at 20:41, Adam D. Barratt <[email protected]> wrote: > On Wed, 2022-11-02 at 18:36 +0000, RL wrote: > > I think the data on security-tracker.debian.org may be incomplete. > > > > > > For example the following links suggest that grub had a vulnerability > > that was fixed in: 2.06-3~deb11u1 but bullseye has 2.06-3~deb11u2 > > (ending in u2 not u1) > > > > bullseye *doesn't* have deb11u2 yet. It's in proposed-updates and > stable-updates, but stable still has deb11u1 until the next point > release.
aha, thank-you. is there a possibility that https://security-tracker.debian.org/tracker/CVE-2021-3695 could learn to list 'bullseye-updates' with deb11u2 listed as 'fixed'? and that this info could propogate into debsecan (i see it also affects https://security-tracker.debian.org/tracker/CVE-2021-33574 where 2.31-13+deb11u5 is installed but the tracker, and therefore (I assume) debsecan only knows that u4 is fixed - or am i just doing something stupid by installing anything from proposed-updates ?)
