On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > https://security-tracker.debian.org/tracker/status/release/stable > > shows the list of packages currently considered vulnerable, but it does not > show the severity. > > For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL > severity but the Debian security tracker simply says "not assigned" (No dev > so much as bothered to click on the 'NVD' link?) > > Merry Christmas! > > -- > Sent with https://mailfence.com > Secure and private email >
Hi Maxwillb If you click through any one of the CVE links, you find a link to a specific bug. That link also links to the bugs reported by other distributions, the Debian bug number and the NVD score - all the info you may need. The "not yet assigned" may be that the Debian Security Team haven't assigned it a DSA number or decided on how severe it is "to Debian". Taking the first one - first bug for aom - there's an assessment of which releases are vulnerable. There's a fixed release in testing. It links to various other bugs in Chromium. The next two CVEs for aom are also linked to the first bug and fixes backported to stable by the maintainer. It's not as if people are massively dropping the ball here, in spite of your apprehension. Hope this helps,and with very best regards as ever. Andy Cater
