Hi Griffin, This is the user mailing list and might not be the best forum for this type of question. That said, according to the Debian package search[0], bullseye has golang-1.15, while the two CVEs you reference are noted as affecting golang-1.17 and golang-1.18. So, to answer your question, if a particular suite is not present in the entry for a CVE, then that means that security team has not assessed it as affecting any package in that suite. You can view information about the open and resolved CVEs associated with golang-1.15 in the security tracker as well [1].
Regards, -Roberto [0] https://packages.debian.org/search?suite=bullseye&searchon=sourcenames&keywords=golang-1 [1] https://security-tracker.debian.org/tracker/source-package/golang-1.15 On Thu, Jul 07, 2022 at 07:17:18PM +0000, Griffin Weikel wrote: > Good Afternoon, > > > > Following-up to confirm the information below. Please advise if able. > > > > Thank you, > > Griffin > > > > Griffin Weikel > > Security Risk Engineering Manager > > M: (443) 745-4594 > > > > [1]servicenow.com > > [2]LinkedIn | [3]Twitter | [4]YouTube | [5]Facebook > > > > > > From: Griffin Weikel <griffin.wei...@servicenow.com> > Date: Wednesday, June 29, 2022 at 2:30 PM > To: debian-user@lists.debian.org <debian-user@lists.debian.org> > Cc: Tim Nelson <tim.nel...@servicenow.com>, Christopher Engel > <christopher.en...@servicenow.com> > Subject: CVE Applicability Inquiry > > Good Afternoon, > > > > I’m writing to inquire about the applicability of a couple CVEs to the > Bullseye release. The two CVEs below are popping in our Prisma scans as > vulnerable, however I noticed on the Debian site that Bullseye isn’t > listed. This seemed to deviate from the majority of CVEs we’re reviewing. > Are you able to confirm that if a CVE page doesn’t list a release in the > tracker that we’re to assume the release isn’t vulnerable? > > > > [6]https://security-tracker.debian.org/tracker/CVE-2022-24675 > > [7]https://security-tracker.debian.org/tracker/CVE-2022-28327 > > > > Also, confirming my email subscription via CONFIRM s2022062918105226032. > > > > Thank you, > > Griffin > > > > Griffin Weikel > > Security Risk Engineering Manager > > M: (443) 745-4594 > > > > [8]servicenow.com > > [9]LinkedIn | [10]Twitter | [11]YouTube | [12]Facebook > > > > References > > Visible links > 1. https://www.servicenow.com/ > 2. https://www.linkedin.com/company/servicenow > 3. https://twitter.com/servicenow > 4. https://www.youtube.com/user/servicenowinc > 5. https://www.facebook.com/servicenow > 6. https://security-tracker.debian.org/tracker/CVE-2022-24675 > 7. https://security-tracker.debian.org/tracker/CVE-2022-28327 > 8. https://www.servicenow.com/ > 9. https://www.linkedin.com/company/servicenow > 10. https://twitter.com/servicenow > 11. https://www.youtube.com/user/servicenowinc > 12. https://www.facebook.com/servicenow -- Roberto C. Sánchez
