1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: CVE applicability

    From Salvatore Bonaccorso@21:1/5 to Arul Anand MM on Wed Jun 19 08:00:01 2024
    Hi,

    On Wed, Jun 19, 2024 at 12:04:45AM +0530, Arul Anand MM wrote:
    Hello Debian Security Team,

    This is regarding Debian advisory https://security-tracker.debian.org/tracker/CVE-2023-3390.

    I would like to confirm whether version 5.10.191-1 is impacted by the UAF
    and LPE.

    Advisory page on September 14 https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390
    states the issue is fixed in 5.10.191-1 but the current version of advisory states "5.10.209-2" as the fixed version. Is there any information on the impacted version changes for CVE-2023-3390?

    All the version information required is actually on https://security-tracker.debian.org/tracker/CVE-2023-3390 . In the
    lower table you see where the fix landed, In the table above you see
    the current available versions in the suites, with their status.

    But maybe I'm missunderstanding the question?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Thomas Hochstein@21:1/5 to Arul Anand MM on Wed Jun 19 23:50:01 2024
    Arul Anand MM wrote:

    Advisory page on September 14 https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390
    states the issue is fixed in 5.10.191-1

    No, it doesn't.

    It states the issue was fixed - for bullseye, i.e. oldstable - in
    5.10.179-3 (lower table).

    It also states that 5.10.191-1 was the current version in "bullseye (security)", so that suite was not vulnerable.

    but the current version of advisory
    states "5.10.209-2" as the fixed version.

    No, it doesn't. :-)

    It still states the issue was fixed in 5.10.179-3 (lower table).

    The current version in "bullseye (security)" is now 5.10.218-1, and in "bullseye" it's 5.10.209-2, so neither suite is vulnerable.

    The fixed version doesn't change. The current version in suites that still
    get updates does, of course.

    -thh

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)