Hi, I've misunderstood the intent of that security-tracker.d.o Your explanation make me understand.
Thanks! 2024年1月9日(火) 23:41 Moritz Muehlenhoff <[email protected]>: > > Hi Kentaro, > > > I've found a bit strange status about some tracked issue > > on security-tracker.debian.org. > > > > 1. CVE-2023-36054 krb5 > > https://security-tracker.debian.org/tracker/CVE-2023-36054 > > > > it shows like: > > > > bullseye 1.18.3-6+deb11u4 fixed > > bullseye (security) 1.18.3-6+deb11u3 vulnerable > > > > you may doubt whether it was not fixed yet because of "vulnerable" label. > > This is expected and correct: > CVE-2023-36054 didn't get fixed via a DSA through security.debian.org, but > instead it was included in the latest Bookworm point release: > https://tracker.debian.org/news/1454490/accepted-krb5-1183-6deb11u4-source-into-oldstable-proposed-updates/ > > As such, the version found on security.debian.org (1.18.3-6+deb11u3), which > was fixed > via security.debian.org _is_ still affected by CVE-2023-36054: > https://tracker.debian.org/news/1386152/accepted-krb5-1183-6deb11u3-source-into-stable-security/ > > But it doesn't matter since the 1.18.3-6+deb11u4 fix from the point release > supercedes it. > > > There is a similar thing for openssl -- Kentaro Hayashi <[email protected]>
