Hello to Debian's security team.
I'm researching the Debian's security feed <
https://security-tracker.debian.org/tracker> and I have a couple of
questions about the meaning of some of the keys included on the JSON feed. Below are the keys in question.
- *repositories *key: I think this is a reference to the last version of
the package, although I'm not sure. Example below, from vnc4 package:
"CVE-2009-3560": {
"description": "The big2_toUtf8 function...
"debianbug": 560901,
"scope": "local",
"releases": {
"buster": {
"status": "resolved",
"*repositories*": {
"buster": "4.1.1+X4.3.0+t-1"
},
"fixed_version": "0",
"urgency": "unimportant"
}
}
}
- *fixed_version *key: Its name is quite obvious but, there is a (very
common) special case where fixed_version equals "0". According to a little
research I've made, this could be related to the fact that the CVE is not
affecting the current release of the OS. Example below, from gauche package:
"CVE-2005-4443": {
"description": "Untrusted search path vulnerability ...
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "0.9.6-10"
},
"*fixed_version*": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "0.9.10-3"
},
"*fixed_version*": "0",
"urgency": "unimportant"
}
}
}
I would love this to be clarified, so any help would be appreciated.
Thanks in advance!
--
Tomas Sarquis
Software Engineer
+54 351 741 1244
[image: Wazuh] <
https://wazuh.com>
The Open Source Security Platform <
https://wazuh.com>
<div dir="ltr">Hello to Debian's security team.<br><br>I'm researching the <a href="
https://security-tracker.debian.org/tracker" target="_blank">Debian's security feed</a> and I have a couple of questions about the meaning of some of the
keys included on the JSON feed. Below are the keys in question.<div><br></div><div><ul><li style="margin-left:15px"><b>repositories </b>key: I think this is a reference to the last version of the package, although I'm not sure. Example below, from
vnc4 package:</li></ul></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-
family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">"CVE-2009-3560": {</font></div></div></div></blockquote></blockquote><blockquote style="margin:
0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><
<font color="#000000"> "description": "The big2_toUtf8 function...</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;
border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "debianbug": 560901,</font></div></div></div><
/blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-
size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "scope": "local",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="
margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "releases": {</font></
</div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace&
quot;,monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "buster": {</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><
blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "
status": "resolved",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:&
quot;Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "<b>repositories</b>": {</font></div></div></div></blockquote></blockquote><blockquote style=
"margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-
wrap"><div><font color="#000000"> "buster": "4.1.1+X4.3.0+t-1"</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> },</font></div></div></div></blockquote></
blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;
line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "fixed_version": "0",</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> "urgency&
quot;: "unimportant"</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"
Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000"> }</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;
padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">
}</font></div></div></div></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:"Droid Sans Mono","
monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><font color="#000000">}</font></div></div></div></blockquote></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div style="
font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><br></div></div></blockquote><div><ul><li style="margin-left:15px"><b>fixed_version </b>key: Its name is quite obvious but,
there is a (very common) special case where fixed_version equals "0". According to a little research I've made, this could be related to the fact that the CVE is not affecting the current release of the OS. Example below, from gauche
package:<br><br><div style="font-family:"Droid Sans Mono","monospace",monospace;font-size:14px;line-height:19px;white-space:pre-wrap"><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><span style="color:rgb(0,0,0)">"CVE-2005-4443"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(
0,0,0)"> </span><span style="color:rgb(0,0,0)">"description"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"Untrusted search path vulnerability ...<br></span><span style="color:rgb(0,0,0)"> </span><span
style="color:rgb(0,0,0)">"scope"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"local"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,
0,0)">"releases"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"bullseye"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,
0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"resolved"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)">
</span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"bullseye"</span><span style="color:
rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.10-3"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</
span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"urgency"</span><span
style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"buster"</span><
span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"resolved"</span><span
style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span
style="color:rgb(0,0,0)">"buster"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.6-10"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)"> </
span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </
span><span style="color:rgb(0,0,0)">"urgency"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)"> },<br></span><span style="color:rgb(0,0,0)">
</span><span style="color:rgb(0,0,0)">"sid"</span><span style="color:rgb(0,0,0)">: {<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"status"</span><span style="color:rgb(0,0,0)">: </span><
span style="color:rgb(0,0,0)">"resolved"</span><span style="color:rgb(0,0,0)">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"repositories"</span><span style="color:rgb(0,0,0)">: {<br></
span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"sid"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0.9.10-3"<br></span><span style="color:rgb(0,0,0)">
},<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"<b>fixed_version</b>"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"0"</span><span style="color:rgb(0,0,0)
">,<br></span><span style="color:rgb(0,0,0)"> </span><span style="color:rgb(0,0,0)">"urgency"</span><span style="color:rgb(0,0,0)">: </span><span style="color:rgb(0,0,0)">"unimportant"<br></span><span style="color:rgb(0,0,0)
"> }<br></span><span style="color:rgb(0,0,0)"> }<br></span><font color="#000000">}</font></blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;
border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;
padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"
</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></
blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><
blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote
style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="
margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px
0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote></div></div></li></ul><font color="#000000"><br></font></div><div><font color="#000000">I would love this to be clarified, so any
help would be appreciated.</font></div><div><font color="#000000">Thanks in advance!</font></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table style="font-family:Arial,
sans-serif;max-width:500px;width:500px;background-image:initial;background-position:initial;background-repeat:initial;border:none;padding:15px 15px 15px 0px"><tbody><tr><td style="font-size:12px;font-weight:600">Tomas Sarquis</td></tr><tr><td style="font-
size:12px">Software Engineer</td></tr><tr><td style="vertical-align:middle;font-size:12px">+54 351 741 1244</td></tr><tr><td style="width:150px;padding-top:20px"><a href="
https://wazuh.com" target="_blank"><img src="
https://wazuh.com/assets/wazuh-
signature3.png" alt="Wazuh" style="max-width:120px;margin-right:5px"></a></td></tr><tr><td style="vertical-align:middle;font-size:12px"><a href="
https://wazuh.com" style="color:rgb(53,133,249);display:flex" target="_blank">The Open Source Security
Platform</a></td></tr></tbody></table></div></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)