1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • clarification on status of CVE-2021-33574

    From Alexandre@21:1/5 to All on Sat Sep 11 11:00:01 2021
    Hi Debian security list,

    I have something I can't really figure out. Is ther eany reason I'm
    missing why https://security-tracker.debian.org/tracker/CVE-2021-33574
    shows all versions of Debian vulnerable , while it seems to only
    affect glibc 2.32 & 2.33 and all debian versions (but sid) use 2.31 at
    most?

    Regards

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Alexandre on Wed Sep 15 08:10:02 2021
    Hi Alexandre,

    On Sat, Sep 11, 2021 at 10:57:44AM +0200, Alexandre wrote:
    Hi Debian security list,

    I have something I can't really figure out. Is ther eany reason I'm
    missing why https://security-tracker.debian.org/tracker/CVE-2021-33574
    shows all versions of Debian vulnerable , while it seems to only
    affect glibc 2.32 & 2.33 and all debian versions (but sid) use 2.31 at
    most?

    In short: Do not trust version ranges in CVE descriptions.

    For an explanation why this affects older releases as well see the
    upstream issue https://sourceware.org/bugzilla/show_bug.cgi?id=27896

    Furthermore it can be the case that affected versions were not yet
    triaged on Debian's side.

    Hope this helps,

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)