Forum: >>> Magnum BBS <<<

Questions concerning Debian's security feed

From Tomas Sarquis@21:1/5 to All on Wed Aug 24 13:40:01 2022

Hello to Debian's security team.

I'm researching the Debian's security feed <https://security-tracker.debian.org/tracker> and I have a couple of
questions about the meaning of some of the keys included on the JSON feed. Below are the keys in question.

- *repositories *key: I think this is a reference to the last version of
the package, although I'm not sure. Example below, from vnc4 package:

"CVE-2009-3560": {

"description": "The big2_toUtf8 function...

"debianbug": 560901,

"scope": "local",

"releases": {

"buster": {

"status": "resolved",

"*repositories*": {

"buster": "4.1.1+X4.3.0+t-1"

},

"fixed_version": "0",

"urgency": "unimportant"

}

}

}

- *fixed_version *key: Its name is quite obvious but, there is a (very
common) special case where fixed_version equals "0". According to a little
research I've made, this could be related to the fact that the CVE is not
affecting the current release of the OS. Example below, from gauche package:

"CVE-2005-4443": {
"description": "Untrusted search path vulnerability ...
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "0.9.6-10"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
}
}
}

I would love this to be clarified, so any help would be appreciated.
Thanks in advance!

--
Tomas Sarquis
Software Engineer
+54 351 741 1244
[image: Wazuh] <https://wazuh.com>
The Open Source Security Platform <https://wazuh.com>

<div dir="ltr">Hello to Debian's security team.<br><br>I'm researching the <a href="https://security-tracker.debian.org/tracker" target="_blank">Debian's security feed</a> and I have a couple of questions about the meaning of some of the
keys included on the JSON feed. Below are the keys in question.<div><br></div><div><ul><li style="margin-left:15px"><b>repositories </b>key: I think this is a reference to the last version of the package, although I'm not sure. Example below, from
vnc4 package:</li></ul></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-
family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">"CVE-2009-3560": {</font></div></div></div></blockquote></blockquote><blockquote style="margin:
0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><

<font color="#000000"> "description": "The big2_toUtf8 function...</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;

border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "debianbug": 560901,</font></div></div></div><
/blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-
size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "scope": "local",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="
margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "releases": {</font></

</div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace&

quot;,monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "buster": {</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><
blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "
status": "resolved",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:&
quot;Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "<b>repositories</b>": {</font></div></div></div></blockquote></blockquote><blockquote style=
"margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-
wrap"><div><font color="#000000"> "buster": "4.1.1+X4.3.0+t-1"</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> },</font></div></div></div></blockquote></
blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;
line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "fixed_version": "0",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "urgency&
quot;: "unimportant"</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"
Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> }</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;
padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">
}</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","
monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">}</font></div></div></div></blockquote></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div style="
font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><br></div></div></blockquote><div><ul><li style="margin-left:15px"><b>fixed_version </b>key: Its name is quite obvious but,
there is a (very common) special case where fixed_version equals "0". According to a little research I've made, this could be related to the fact that the CVE is not affecting the current release of the OS. Example below, from gauche
package:<br><br><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><span style="color:rgb(0,0,0)">"CVE-2005-4443"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(
0,0,0)"> </span><span style="color:rgb(0,0,0)">"description"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"Untrusted search path vulnerability ...<br></span><span style="color:rgb(0,0,0)"> </span><span
style="color:rgb(0,0,0)">"scope"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"local"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,
0,0)">"releases"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"bullseye"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,
0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"resolved"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)">
</span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"bullseye"</span><span style="color:
rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.10-3"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</
span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"urgency"</span><span
style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"buster"</span><
span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"resolved"</span><span
style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span
style="color:rgb(0,0,0)">"buster"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.6-10"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </
span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </
span><span style="color:rgb(0,0,0)">"urgency"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)">
</span><span style="color:rgb(0,0,0)">"sid"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><
span style="color:rgb(0,0,0)">"resolved"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></
span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"sid"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.10-3"<br></span><span style="color:rgb(0,0,0)">
},<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)
">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"urgency"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)
"> }<br></span><span style="color:rgb(0,0,0)"> }<br></span><font color="#000000">}</font></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;
border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;
padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"

</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></

blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><
blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="
margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px
0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote></div></div></li></ul><font color="#000000"><br></font></div><div><font color="#000000">I would love this to be clarified, so any
help would be appreciated.</font></div><div><font color="#000000">Thanks in advance!</font></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table style="font-family:Arial,
sans-serif;max-width:500px;width:500px;background-image:initial;background-position:initial;background-repeat:initial;border:none;padding:15px 15px 15px 0px"><tbody><tr><td style="font-size:12px;font-weight:600">Tomas Sarquis</td></tr><tr><td style="font-
size:12px">Software Engineer</td></tr><tr><td style="vertical-align:middle;font-size:12px">+54 351 741 1244</td></tr><tr><td style="width:150px;padding-top:20px"><a href="https://wazuh.com" target="_blank"><img src="https://wazuh.com/assets/wazuh-
signature3.png" alt="Wazuh" style="max-width:120px;margin-right:5px"></a></td></tr><tr><td style="vertical-align:middle;font-size:12px"><a href="https://wazuh.com" style="color:rgb(53,133,249);display:flex" target="_blank">The Open Source Security
Platform</a></td></tr></tbody></table></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Keyop
  Sun Apr 28 20:37:53 2024
  from Huddersfield, West Yorkshire via SSH
- Keyop
  Sun Apr 28 20:37:37 2024
  from Huddersfield, West Yorkshire via SSH
- Keyop
  Sun Apr 28 20:30:04 2024
  from Huddersfield, West Yorkshire via SSH
- Bob Worm
  Sun Apr 28 16:00:25 2024
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	297
Nodes:	16 (2 / 14)
Uptime:	02:53:54
Calls:	6,666
Calls today:	4
Files:	12,212
Messages:	5,335,692

Questions concerning Debian's security feed

Who's Online

Recent Visitors

System Info