stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

product advisories update

Browse Source
This commit is contained in:
master
2025-12-30 16:05:16 +02:00
parent f2565a3224
commit e6ee092c7a
7 changed files with 2544 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

617
docs/product-advisories/30-Dec-2025 - Building a Golden Set for Patch Validation.md Normal file
View File

@@ -0,0 +1,617 @@
Heres a compact, plugandplay plan to build a **crossdistro “golden set”** so your retrieval can correctly handle **backported fixes** and avoid false “still vulnerable” flags.
---
# What this golden set is
A small, curated corpus of tuples **(distro, release, package, CVE)** with:
* the **vendordeclared fixed version** (what the distro claims)
* a **counterexample** where **upstream is still affected** but the distro **backported** the patch (so version comparison alone would be misleading)
Use it as regression tests + seed facts for your policy engine and matchers.
---
# Minimum schema (normalize for reuse)
**Tables**
* `vendor_package`
`(vendor_id, distro, release, src_name, bin_name, epoch, version, revision, arch)`
* `cve`
`(cve_id, description, CWE, published, severity, cvss_vector)`
* `fix_decl` (vendor declarations)
`(distro, release, src_name, cve_id, status ENUM('fixed','not_affected','affected','wont_fix'), fixed_epoch, fixed_version, fixed_revision, evidence_uri, evidence_hash, declared_at)`
* `patch_evidence` (backport facts)
`(distro, release, src_name, cve_id, patch_id, upstream_commit, backport_commit, applied_in_epoch, applied_in_version, applied_in_revision, diff_hash, proving_fn ENUM('hunk','symbol','function','binary'), notes)`
* `upstream_affects` (ground truth on upstream tags)
`(project, cve_id, affected_range (SemVer/commit range), last_affected_tag, first_fixed_tag, fix_commit)`
* `golden_case` (test harness)
`(case_id, distro, release, src_name, bin_name, cve_id, vendor_fixed_spec, upstream_state ENUM('still_affected','fixed'), backport_present BOOL, rationale)`
**Indexes**
* `idx_fix_decl_key (distro, release, src_name, cve_id)`
* `idx_patch_evidence_key (distro, release, src_name, cve_id)`
* `idx_upstream_affects (project, cve_id)`
---
# Version math you must use
Implement distrospecific comparators:
* **Debian/Ubuntu**: `dpkg --compare-versions` (Epoch:Version-Revision)
* **RHEL/Fedora/CentOS/SUSE**: **RPMVERCMP** (Epoch:Version-Release)
* **Alpine**: **apk version** rules
Store a normalized sortable key (e.g., `verkey`) alongside raw fields for each family.
---
# Goldenset curation algorithm (daily job)
1. **Select targets**
* Choose top N packages (openssl, glibc, curl, zlib, libxml2, expat, xz, sudo, bash, systemd, sqlite, curl, busybox, python3 stdlib, musl, libssh2, libx11, nginx, apache, postgresql, mariadb, openssh).
* Cross all with major CVEs known to have **backports**.
2. **Ingest vendor claims**
* Scrape/consume security trackers (Debian, Ubuntu USN, RHEL, SUSE, Alpine, Fedora). Normalize into `fix_decl`.
* Compute `verkey_fixed`.
3. **Verify backport reality**
* For each `(distro, release, pkg, cve)` with status “fixed” where **upstream tag** still falls in `affected_range`:
* Pull **src package diff** (dsc+patches or SRPM .patch).
* Extract fixhunks (functions/symbols) from upstream `fix_commit`.
* Run **proving functions**:
* `hunk` match: patch hunks present
* `symbol/function` match: AST/name diff present
* `binary` match: pattern in compiled object (for golden set, keep sourcelevel first)
* If proof ≥ threshold, write to `patch_evidence` and set `backport_present=true` in `golden_case`.
4. **Create counterexample**
* Ensure at least one case per distro where:
* **Upstream version number looks vulnerable**, but distro has **backport evidence** → mark as **“counterexample”** in `golden_case`.
5. **Attest facts**
* Generate DSSE/intoto attestations for each row (content hash of patches/diffs + URLs). Store `evidence_hash`.
---
# Retrievaltime decision function (pseudo)
```
bool is_vulnerable(pkg, ver, distro, release, cve):
decl = get_fix_decl(distro, release, pkg.src, cve)
if decl is null:
return heuristic_by_upstream_ranges(pkg.project, ver, cve)
if decl.status == 'not_affected': return false
if decl.status == 'wont_fix': return true // unless patch_evidence says otherwise
// status == 'fixed' -> check two paths
if compare(ver, decl.fixed_spec, distro_family) >= 0:
return false // version >= declared fixed
// version < declared fixed: still check for backport proof pinned to our exact build
if has_patch_evidence(distro, release, pkg.src, cve, ver):
return false // verified backport on this version/build
return true
```
**Note:** `has_patch_evidence` should accept **(epoch, version, revision)** and allow `applied_in_* <= installed_*`.
---
# Golden test harness (what “must pass”)
For each `golden_case`:
1. Resolve installed `(epoch,version,revision)`.
2. Evaluate `is_vulnerable`.
3. Assert expected:
* **Vendorfixed + backport_present → expected false** even if upstream says affected.
* **No backport + version < fixed_spec expected true**.
Emit a short **VEX** (CycloneDX VEX or CSAF) per case to keep your engine VEXfirst.
---
# Minimal data loaders (first pass)
* **Debian/Ubuntu**: `security-tracker`, USN JSON, `Sources` + `.dsc` + `debian/patches/*`.
* **RHEL/Fedora/SUSE**: OVAL/OVALRPM, advisories (RHSA/SUSESU), SRPM patches.
* **Alpine**: `secdb`, `APKBUILD` diffs (`.patch` in `community/main`).
---
# Ship list (MVP → Week 12)
* Parsers: dpkg/rpm/apk version compare libs in C# (+ test vectors).
* Ingestors for **Debian, Ubuntu, RHEL, SUSE, Alpine, Fedora** `fix_decl`.
* Patch proof: hunkmatcher (linefuzzy, filename maps), symbolfinder (ctags or Roslyn/ctagslike for C).
* 50100 curated `golden_case` rows with airtight evidence.
If you want, I can drop a readytouse PostgreSQL DDL + sample rows and a C# `VersionComparer` + `BackportProof` interface next.
# Golden Set of Backport Test Cases (Distro Release Package CVE)
Each row highlights a case where a distro shipped a **patched older version** below the upstream fixed version. This causes naive version checks to wrongly flag the package as vulnerable. We include the vendors fixed package version, the upstream version range still affected (i.e. up to but _not_ including the upstream fix), evidence of the backport (patch/changelog references), a flag if upstream would consider the vendors version vulnerable, and a brief rationale.
| **Distro (Release)** | **Source Package** | **CVE ID** | **Vendor Fixed Version** | **Upstream Affected Versions** | **Backport Evidence** | **Upstream Says Affected?** | **Rationale** |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Debian 7 Wheezy | openssl | CVE-2014-0160 | 1.0.1e-2+deb7u5[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5) | 1.0.1 through 1.0.1f (fixed in 1.0.1g)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Package%20Type%20Release%20Fixed%20Version,1743883) | **Yes** (1.0.1e < 1.0.1g) | Version 1.0.1e with Heartbleed patch applied (Debian backported fix)[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5). Upstream requires 1.0.1g, so 1.0.1e is normally seen as vulnerable. | |
| RHEL 6 (6.5) | openssl | CVE-2014-0160 | 1.0.1e-16.el6\_5.7[helpdesk.kaseya.com](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6) | 1.0.1 through 1.0.1f (fixed in 1.0.1g)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Description%20The%20,Debian%20ELTS%2C%20%208%20Red) | **Yes** (1.0.1e < 1.0.1g) | Version 1.0.1e with Heartbleed fix backported (openssl-1.0.1e-16.el6). Upstream 1.0.1e is Heartbleed-affected[helpdesk.kaseya.com](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6). | |
| RHEL 7 | openssl | CVE-2020-1971 | 1.0.2k-21.el7\_9[suse.com](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[linuxsecurity.com](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm) | OpenSSL 1.1.1h and 1.0.2(-unsupported) (fixed in 1.1.1i & 1.0.2u)[openssl-library.org](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could) | **Yes** (1.0.2k < 1.0.2u) | OpenSSL 1.0.2k with NULL pointer deref fix backported (RHEL7 openssl-1.0.2k-21). Upstream says 1.0.2k is affected[suse.com](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[linuxsecurity.com](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm). | |
| Ubuntu 20.04 LTS Focal | apache2 | CVE-2024-39573 | 2.4.41-4ubuntu3.19[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22) | Apache HTTPd 2.4.59 (fixed in 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Description) | **Yes** (2.4.41 < 2.4.60) | Apache 2.4.41 with SSRF fix backported (Ubuntu patchset). Version 2.4.41 is below upstream 2.4.60 fix[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue). | |
| SUSE SLE 12 SP5 | apache2 | CVE-2024-39573 | 2.4.51-35.51.1 (patched build)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Package%20List%3A) | Apache HTTPd 2.4.59 (fixed in 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache 2.4.51 in SLES12 SP5 with backported fix[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A). Upstream considers <2.4.60 vulnerable, so 2.4.51 would normally be flagged. | |
| SUSE SLE 12 SP5 | apache2 | CVE-2024-38477 | 2.4.51-35.51.1 (same update)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A) | Apache HTTPd 2.4.59 (fixed by 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache mod\_proxy null-pointer fix backported into 2.4.51[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A). Version appears older than upstream fix version. | |
| SUSE SLE 12 SP5 | apache2 | CVE-2024-38475 | 2.4.51-35.51.1 (same update)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268) | Apache HTTPd 2.4.59 (fixed by 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache mod\_rewrite output-escaping issue fixed on 2.4.51 via patch[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268). Vendor version < upstream fixed version. | |
| Debian 9 Stretch | openssh | CVE-2018-15473 | 1:7.4p1-10+deb9u4[lists.debian.org](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=For%20the%20stable%20distribution%20,10%2Bdeb9u4) | OpenSSH 7.7 (fixed in 7.8/7.9)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2018-15473#:~:text=CVE,an%20invalid%20authenticating%20user) | **Yes** (7.4 < 7.8) | OpenSSH 7.4p1 (Stretch) patched for user-enumeration flaw[lists.debian.org](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=Dariusz%20Tytko%2C%20Michal%20Sajdak%20and,existed%20on%20the%20target%20server). Upstream required 7.8, so 7.4p1 normally seen as affected. | |
| Debian 10 Buster | sudo | CVE-2021-3156 | 1.8.27-1+deb10u3[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1) | sudo <1.9.5p2 (fixed in 1.9.5p2)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=sudo%20%28PTS%29bullseye%201.9.5p2,1%20fixed) | **Yes** (1.8.27 < 1.9.5p2) | sudo 1.8.27 in Buster with Baron Samedit patch[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1). Upstream says versions below 1.9.5p2 are vulnerable, so 1.8.27 would be flagged[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo). | |
| RHEL 7 | sudo | CVE-2019-14287 | 1.8.23-4.el7\_7.1[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA) | sudo 1.8.27 (fixed in 1.8.28)[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA)[nvd.nist.gov](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function) | **Yes** (1.8.23 < 1.8.28) | sudo 1.8.23 in RHEL7 patched for Runas All bug[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA). Upstream fix came later (1.8.28), so 1.8.23 is normally marked affected. | |
| Debian 8 Jessie | sudo | CVE-2017-1000367 | 1.8.10p3-1+deb8u4[lists.debian.org](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges) | sudo 1.8.20 (fixed in 1.8.21)[nvd.nist.gov](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[security.snyk.io](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description) | **Yes** (1.8.10 < 1.8.21) | sudo 1.8.10p3 in Jessie got the tty hijack fix backported[lists.debian.org](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges). Upstream resolved it in a much newer sudo release, so 1.8.10p3 would appear vulnerable. | |
| Ubuntu 12.04 LTS Precise | bash | CVE-2014-6271 | 4.2-2ubuntu2.5[askubuntu.com](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version) | Bash 4.3 (fixed in 4.3 patch)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-6271#:~:text=Description%20GNU%20Bash%20through%204,present%20after%20the%20incorrect%20fix) | **Yes** (4.2 < 4.3-fixed) | Bash 4.2 on Precise patched for Shellshock[askubuntu.com](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version). Version 4.2 is below upstream 4.3 fix, so normally flagged as Shellshock-vulnerable. | |
| Debian 10 Buster (LTS) | curl | CVE-2023-27533 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with TELNET injection fix backported (Debian LTS)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Upstream requires curl 8.x, so 7.64.0 is seen as affected. | |
| Debian 10 Buster (LTS) | curl | CVE-2023-27535 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with FTP reuse auth bypass fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Version appears vulnerable by upstream standards (<8.0). | |
| Debian 10 Buster (LTS) | curl | CVE-2023-27536 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with GSSAPI delegation reuse fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Upstream would mark 7.64.0 vulnerable. | |
| Debian 10 Buster (LTS) | curl | CVE-2023-27538 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with SSH connection reuse fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Version number <8.0 means upstream would treat it as unfixed. | |
| Fedora 34 | glibc | CVE-2021-33574 | glibc-2.33-16.fc34[lists.fedoraproject.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar) | glibc 2.33 (fixed in 2.34)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST) | **Yes** (2.33 < 2.34) | glibc 2.33 with `mq_notify` use-after-free fix applied (Fedora update). Upstream fix came in 2.34, so 2.33 is normally flagged as vulnerable. | |
| RHEL 8 | glibc | CVE-2024-2961 | glibc-2.28-236.el8\_9.13[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Vulnerable,263) | glibc 2.39 (fixed in 2.40)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459) | **Yes** (2.28 < 2.40) | glibc 2.28 with `iconv()` overflow fix backported (RHEL8 patch)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459). Upstream requires 2.40+, so 2.28 is considered affected. | |
| RHEL 7 | glibc | CVE-2015-0235 | glibc-2.17-55.el7\_0.5[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=%2A%20%60glibc%20%3E%3D%202.17,55.el7_0.5) | glibc 2.2 up to 2.17 (fixed in 2.18)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST) | **Yes** (2.17 < 2.18) | glibc 2.17 with GHOST bug patched (RHEL7 update)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Product,SUSE%20Liberty%20Linux%207). Upstream fix was in 2.18; 2.17 is normally flagged as vulnerable[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST). | |
| RHEL 7 | systemd | CVE-2020-1712 | systemd-219-57.el7\_8 (patch backport)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64) | systemd 242 (fixed in 243)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712) | **Yes** (219 < 243) | systemd 219 with use-after-free fix backported (RHEL7/AL2 update)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64). Upstream fix is in v243, so v219 would be marked vulnerable. | |
| Alpine 3.10 | musl libc | CVE-2020-28928 | 1.1.22-r4[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code) | musl 1.2.1 (fixed in 1.2.2)[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=CPE%20URI%20Source%20package%20Min,1.2.1) | **Yes** (1.1.x < 1.2.2) | musl 1.1.22 with `wcsnrtombs()` overflow fixed (Alpine 3.10)[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code). Upstream fixed in 1.2.2, so 1.1.22 would normally be considered vulnerable. | |
| Ubuntu 20.04 LTS Focal | openssl | CVE-2022-0778 | 1.1.1f-1ubuntu2.15 (patched)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version) | OpenSSL 1.1.1m (fixed in 1.1.1n)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version) | **Yes** (1.1.1f < 1.1.1n) | OpenSSL 1.1.1f with BN infinite-loop fix backported (Ubuntu)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version). Upstream says only 1.1.1n+ is safe, so 1.1.1f appears vulnerable to scanners. | |
**Sources:** Vendor security advisories and trackers (Debian DSAs, Ubuntu CVE/USN pages, Red Hat errata, SUSE and Alpine trackers) are linked above to confirm patch versions and upstream fix info[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1) etc. Each case demonstrates a backported security fix where the package version alone is misleading, helping test vulnerability scanners ability to detect patched-but-backported packages instead of raising false positives.
Citations
[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DSA 2896-1\] openssl security update
https://lists.debian.org/debian-security-announce/2014/msg00071.html
](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2014-0160
https://security-tracker.debian.org/tracker/CVE-2014-0160
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2014-0160
https://security-tracker.debian.org/tracker/CVE-2014-0160
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Package%20Type%20Release%20Fixed%20Version,1743883)[
CVE-2014-0160: OpenSSL Heartbleed Vulnerability Kaseya
https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability
](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2014-0160
https://security-tracker.debian.org/tracker/CVE-2014-0160
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Description%20The%20,Debian%20ELTS%2C%20%208%20Red)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
CVE-2020-1971 Common Vulnerabilities and Exposures - SUSE
https://www.suse.com/security/cve/CVE-2020-1971.html
](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[
![](https://www.google.com/s2/favicons?domain=https://linuxsecurity.com&sz=32)
Scientific Linux 7.x SLSA-2020-5566-1 Critical OpenSSL Update
https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13
](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm)[
![](https://www.google.com/s2/favicons?domain=https://openssl-library.org&sz=32)
Release and Advisory Timeline | OpenSSL Library
https://openssl-library.org/news/timeline/
](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could)[
![](https://www.google.com/s2/favicons?domain=https://ubuntu.com&sz=32)
CVE-2024-39573 | Ubuntu
https://ubuntu.com/security/CVE-2024-39573
](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[
![](https://www.google.com/s2/favicons?domain=https://ubuntu.com&sz=32)
CVE-2024-39573 | Ubuntu
https://ubuntu.com/security/CVE-2024-39573
](https://ubuntu.com/security/CVE-2024-39573#:~:text=Description)[
![](https://www.google.com/s2/favicons?domain=https://ubuntu.com&sz=32)
CVE-2024-39573 | Ubuntu
https://ubuntu.com/security/CVE-2024-39573
](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Package%20List%3A)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DSA 4280-1\] openssh security update
https://lists.debian.org/debian-security-announce/2018/msg00209.html
](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=For%20the%20stable%20distribution%20,10%2Bdeb9u4)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2018-15473 - Security Bug Tracker - Debian
https://security-tracker.debian.org/tracker/CVE-2018-15473
](https://security-tracker.debian.org/tracker/CVE-2018-15473#:~:text=CVE,an%20invalid%20authenticating%20user)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DSA 4280-1\] openssh security update
https://lists.debian.org/debian-security-announce/2018/msg00209.html
](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=Dariusz%20Tytko%2C%20Michal%20Sajdak%20and,existed%20on%20the%20target%20server)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2021-3156
https://security-tracker.debian.org/tracker/CVE-2021-3156
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2021-3156
https://security-tracker.debian.org/tracker/CVE-2021-3156
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2021-3156
https://security-tracker.debian.org/tracker/CVE-2021-3156
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=sudo%20%28PTS%29bullseye%201.9.5p2,1%20fixed)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
CVE-2019-14287 Common Vulnerabilities and Exposures - SUSE
https://www.suse.com/security/cve/CVE-2019-14287.html
](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA)[
![](https://www.google.com/s2/favicons?domain=https://nvd.nist.gov&sz=32)
CVE-2017-1000367 Detail - NVD
https://nvd.nist.gov/vuln/detail/cve-2017-1000367
](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DSA 3867-1\] sudo security update
https://lists.debian.org/debian-security-announce/2017/msg00127.html
](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges)[
![](https://www.google.com/s2/favicons?domain=https://security.snyk.io&sz=32)
Race Condition in sudo | CVE-2017-1000367 | Snyk
https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955
](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description)[
![](https://www.google.com/s2/favicons?domain=https://askubuntu.com&sz=32)
security - What is the CVE-2014-6271 bash vulnerability (Shellshock) and how do I fix it? - Ask Ubuntu
https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it
](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
CVE-2014-6271
https://security-tracker.debian.org/tracker/CVE-2014-6271
](https://security-tracker.debian.org/tracker/CVE-2014-6271#:~:text=Description%20GNU%20Bash%20through%204,present%20after%20the%20incorrect%20fix)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DLA 3398-1\] curl security update
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DLA 3398-1\] curl security update
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
Information on source package curl - Security Bug Tracker - Debian
https://security-tracker.debian.org/tracker/source-package/curl
](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DLA 3398-1\] curl security update
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DLA 3398-1\] curl security update
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
\[SECURITY\] \[DLA 3398-1\] curl security update
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
![](https://www.google.com/s2/favicons?domain=https://lists.fedoraproject.org&sz=32)
\[SECURITY\] Fedora 34 Update: glibc-2.33-16.fc34
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/
](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
https://www.suse.com/security/cve/CVE-2015-0235.html
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST)[
![](https://www.google.com/s2/favicons?domain=https://www.openwall.com&sz=32)
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
https://www.openwall.com/lists/oss-security/2024/04/17/9
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[
![](https://www.google.com/s2/favicons?domain=https://www.openwall.com&sz=32)
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
https://www.openwall.com/lists/oss-security/2024/04/17/9
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Vulnerable,263)[
![](https://www.google.com/s2/favicons?domain=https://www.openwall.com&sz=32)
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
https://www.openwall.com/lists/oss-security/2024/04/17/9
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
https://www.suse.com/security/cve/CVE-2015-0235.html
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=%2A%20%60glibc%20%3E%3D%202.17,55.el7_0.5)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
https://www.suse.com/security/cve/CVE-2015-0235.html
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Product,SUSE%20Liberty%20Linux%207)[
ALAS2-2020-1388
https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64)[
ALAS2-2020-1388
https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712)[
CVE-2020-28928 — Alpine Security Tracker
https://security.alpinelinux.org/vuln/CVE-2020-28928
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code)[
CVE-2020-28928 — Alpine Security Tracker
https://security.alpinelinux.org/vuln/CVE-2020-28928
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=CPE%20URI%20Source%20package%20Min,1.2.1)[
![](https://www.google.com/s2/favicons?domain=https://serverfault.com&sz=32)
How can I know that Ubuntu 18.04 Bionic's latest OpenSSL is really ...
https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n
](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version)
All Sources
[
![](https://www.google.com/s2/favicons?domain=https://lists.debian.org&sz=32)
lists.debian
](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[
![](https://www.google.com/s2/favicons?domain=https://security-tracker.debian.org&sz=32)
security...er.debian
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[
helpdesk.kaseya
](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6)[
![](https://www.google.com/s2/favicons?domain=https://www.suse.com&sz=32)
suse
](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[
![](https://www.google.com/s2/favicons?domain=https://linuxsecurity.com&sz=32)
linuxsecurity
](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm)[
![](https://www.google.com/s2/favicons?domain=https://openssl-library.org&sz=32)
openssl-library
](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could)[
![](https://www.google.com/s2/favicons?domain=https://ubuntu.com&sz=32)
ubuntu
](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[
![](https://www.google.com/s2/favicons?domain=https://nvd.nist.gov&sz=32)
nvd.nist
](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[
![](https://www.google.com/s2/favicons?domain=https://security.snyk.io&sz=32)
security.snyk
](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description)[
![](https://www.google.com/s2/favicons?domain=https://askubuntu.com&sz=32)
askubuntu
](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version)[
![](https://www.google.com/s2/favicons?domain=https://lists.fedoraproject.org&sz=32)
lists.fedoraproject
](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar)[
![](https://www.google.com/s2/favicons?domain=https://www.openwall.com&sz=32)
openwall
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[
alas.aws.amazon
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64)[
security.alpinelinux
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code)[
![](https://www.google.com/s2/favicons?domain=https://serverfault.com&sz=32)
serverfault
](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version)