Debian Local Security Checks

boblee · May 3, 2024, 12:29pm

Hi,

I am wondering why the local debian security check for CVE-2023-38408 in Greenbone only includes the Debian 10 version in affected versions, while both Debian 11 and 12 seems to be affected by the same vulnerability? I see that you base it on the DLA-3532-1 given by Debian only including “buster”. However Debian also says that it has been fixed in newer “bullseye” and “bookworm” versions.
https://security-tracker.debian.org/tracker/CVE-2023-38408
https://metadata.ftp-master.debian.org/changelogs//main/o/openssh/openssh_9.2p1-2+deb12u2_changelog
https://metadata.ftp-master.debian.org/changelogs//main/o/openssh/openssh_8.4p1-5+deb11u3_changelog

Why aren’t the NVT including those versions? Were they not vulnerable, or what is the reason?

Best regards
Bob

cfi · May 3, 2024, 12:39pm

AFAICT most/all local security checks (LSCs) for Linux distributions are purely based on published vendor advisories like e.g. the mentioned DLA-3523-1. As long as there is no vendor advisory (like seen for bullseye or bookworm in the Origin column) there won’t be any LSC as well.

Were they not vulnerable, or what is the reason?

I would suggest to contact the Debian security team for clarification on this.