That's the beauty of Debian. If the dev doesn't backport a fix, the maintainer might. It's not uncommon.
On Thu, Jun 20, 2024, 22:38 Jeffrey Walton <noloa...@gmail.com> wrote: > One additional data point to consider... there are folks who have > exploits written for vulnerabilities that the community does not know > about. > > Generally speaking, the older the software, the more exploits are > available. Developers generally don't work on old versions of their > software. Instead, they fix some things, release a new version and > move on. The only chance to fix the vulnerability is move to a newer > version of the software by building it yourself or using the latest > distro release. > > Folks who deal in vulnerabilities and exploits adore the old software > because nothing gets fixed, so their exploits continue to work on old > versions of software. As Greg Kroah-Hartman noted: [1] > > We have a very bad history of keeping bugs alive for a long time. > Somebody did a check of it, most known bugs live for five years in > systems. These are things that people know and know how to exploit. > They’re not closed. That’s a problem in our infrastructure... > > CVE tracking is not the answer because that assumes every exploitable > bug is tagged with a CVE. There are lots of bugs out there that are > not tracked with a CVE, yet are exploitable. See, for example, the > TTY1 layer bug discussed in [1]. It took over 3 years to figure out it > was exploitable and for the patches to be backported. > > (I have first hand knowledge of how one firm operates. The firm sells > their exploits to Northrop Grumman Electronic Warfare Division.) > > [1] > https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/ > > Jeff >
