Control: forcemerge 823664 898458 Hi Tomasz,
On Sat, May 12, 2018 at 06:36:39AM +1000, Tomasz Ciolek wrote: > Package: debsecan > Version: 0.4.19~deb9u1 > Severity: normal > > Dear Maintainer, > > This has been bugging me for a while. debsecan shows the following package as > being vulnerable and having updates available to fix the issue: > > *** Available security updates > > CVE-2017-15908 In systemd 223 through 235, a remote DNS server can... > <https://security-tracker.debian.org/tracker/CVE-2017-15908> > - libudev1, libpam-systemd, libsystemd0, udev, systemd > (remotely exploitable, medium urgency) > > CVE-2017-9445 In systemd through 233, certain sizes passed to... > <https://security-tracker.debian.org/tracker/CVE-2017-9445> > - libudev1, libpam-systemd, libsystemd0, udev, systemd > (remotely exploitable, medium urgency) > > Upon checking the secueity tracker for both CVE-2017-15908 and CVE-2017-9445 > I saw that my I needed systemd 232-25+deb9u2 to apply the fixes. My system > has systemd 232-25+deb9u3 installed, as shown below: I believe that is the same issue as #823664 when an update is already available via $codename-updates. Since this is technically not yet in stable or stable-security there is confusion. Regards, Salvatore
