Hello to Debian's security team.
I'm researching the Debian's security feed
<https://security-tracker.debian.org/tracker> and I have a couple of
questions about the meaning of some of the keys included on the JSON feed.
Below are the keys in question.
- *repositories *key: I think this is a reference to the last version of
the package, although I'm not sure. Example below, from vnc4 package:
"CVE-2009-3560": {
"description": "The big2_toUtf8 function...
"debianbug": 560901,
"scope": "local",
"releases": {
"buster": {
"status": "resolved",
"*repositories*": {
"buster": "4.1.1+X4.3.0+t-1"
},
"fixed_version": "0",
"urgency": "unimportant"
}
}
}
- *fixed_version *key: Its name is quite obvious but, there is a (very
common) special case where fixed_version equals "0". According to a little
research I've made, this could be related to the fact that the CVE is not
affecting the current release of the OS. Example below, from gauche package:
"CVE-2005-4443": {
"description": "Untrusted search path vulnerability ...
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "0.9.6-10"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
}
}
}
I would love this to be clarified, so any help would be appreciated.
Thanks in advance!
--
Tomas Sarquis
Software Engineer
+54 351 741 1244
[image: Wazuh] <https://wazuh.com>
The Open Source Security Platform <https://wazuh.com>
