maxwillb wrote: > https://security-tracker.debian.org/tracker/status/release/stable > > shows the list of packages currently considered vulnerable, but it does not > show the severity.
Severity is a matter of opinion. The first opinion should be based on whether the package is even installed. Then on how important the package is. Then, perhaps, what degree of compromise is offered, and then how easy it is to exploit. But other people might have different ideas. > For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL > severity but the Debian security tracker simply says "not assigned" (No dev > so much as bothered to click on the 'NVD' link?) Well, that one is easy: Debian doesn't ship Google Chrome. If you have Chrome on your system, you got it from some other organization. There are five bugs noted for Chromium, though, in the security-tracker.debian.org link that you already know. You should start with the listings for linux, the kernel package, since it's almost guaranteed you have that. -dsr-
