From: ben@decadent.org.uk 
  
 On Fri, 2025-09-26 at 07:54 +0000, Subhash wrote: 
 > 
 > Dear Debian Kernel/Security Team, 
 > 
 > 
 > I hope you're doing well. My name is Subhash, and I'm from the Qualys 
 Security Research Team. I am examining the Debian security tracker entries 
 (https://security-tracker.debian.org/tracker/CVE-xxxx-xxxx), which lists the 
 Linux version as X.YY.ZZ-N€€as 
 the fixed version. However, when reviewing the current source package 
 listing 
 athttps://packages.debian.org/source/trixie/linux, I see the latest version 
 is 
 A.BB.CC-N, while various subpackages have mixed versions.€€ For Example- 
 > The Debian security tracker entry (https://security-tracker.de 
 ian.org/tracker/CVE-2024-57976), which lists the Linux version as 
 6.12.37-1€€as the fixed version. However, when reviewing the current source 
 package listing athttps://packages.debian.org/ 
 source/trixie/linux, I see the latest version is 6.12.48-1, while various 
 subpackages have mixed versions like ata-modules-6.12.31-armmp-di, 
 ata-modules-6.12.41+deb13-armmp-di,btrfs-modules-6.12.31-armmp-di, and 
 xfs-modules-6.12.48-powerpc64le-di ..etc. 
 I would like to request clarification on how fixed versions for Linux kernel 
 CVEs map to binary subpackages in Debian. Specifically: 
  
 While there are often older versions still present in the archive, they 
 shouldn't be included in the package indices and therefore won't be 
 installable through APT. 
  
 > €€€€€€1. 
 > €€€€€€€€€€€€Could you please clarify how these subpackage versions relate 
 to 
 the fixed source version and which ones include the CVE fix? 
  
 The security tracker records only source packages and versions. 
 Generally binary packages should have the same versions as their source 
 packages.  (bpftool and usbip are exceptions to this; they have their 
 own version numbers which we combine with the source package version.) 
  
 This is complicated a bit by the code signing process: 
  
 source: linux 
           €€€ build 
 binary: linux-image--unsigned, linux-image--signed-template, 
 €€€ 
           €€€ sign 
 source: linux-signed- 
           €€€ build 
 binary: linux-image-, €€€ 
  
 The linux-signed- source packages have a different version number 
 than the linux source package due to Debian conventions for "native" 
 packages, but the final binary package versions will match the linux 
 source package. 
  
 > €€€€€€2. 
 > €€€€€€€€€€€€When a fixed version is specified for the Linux€€source 
 package, 
 do all subsequent versions also include the fix by default? 
  
 All subsequent versions *for the same Debian release* will include the 
 fix, unless it's intentionally reverted for some reason.  Later releases 
 should also get the fix, but aren't always updated in sync. 
  
 > €€€€€€3. 
 > €€€€€€€€€€€€How€€can we determine the exact set of binary subpackages 
 (xfs-modules-6.12.31-s390x-di,xfs-modules-6.12.41+deb13-riscv64- 
 i,ata-modules-6.12.48+deb13-powerpc64le-di..etc) built from a given fixed 
 source version? 
  
 In general, read the "Binary" field of the source package's .dsc file. 
 Because of the extra code signing step for linux, you'll need to also 
 read the .dsc files for linux-signed-amd64 and linux-signed-arm64. 
  
 > €€€€€€4. 
 > €€€€€€€€€€€€What is the authoritative data source to retrieve this 
 subpackage list for a particular version? 
  
 The FTP team's "projectb" database would be authoritative for packages 
 still in the main archive, but it's not public. 
  
 Probably the best source for you would be the snapshot.debian.org API: 
 . 
  
 > €€€€€€5. 
 > €€€€€€€€€€€€How can we confirm which subpackages are affected by or include 
 a specific CVE fix? 
  
 The specific binary packages you listed are used only in the installer 
 (this is indicated by the ".udeb" suffix to the filename and the "-di" 
 suffix in the package name).  They can't be installed on a normal Debian 
 system using APT.  So I don't see any point in trying to work out which 
 of these an issue or fix applies to. 
  
 Ben. 
  
  
 -- 
 Ben Hutchings 
 Horngren's Observation: 
               Among economists, the real world is often a special case. 
  
 -----BEGIN PGP SIGNATURE----- 
  
 iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmja0DgACgkQ57/I7JWG 
 EQnV+w//SQDzk2TN3TI3JagM2xpCfSYzbgTC94UgIt3lpp/orLgwbiLDpU7ExJjX 
 Y1pA6fv/A14/ZHlNfwYgSXDmcfIp55WmebT02qophclNFMe4/QXfX98iOvj9Ltce 
 eD8WOjXi7jLJWpuV2On6KAgch8ZTyt91h7bMdJnWRRwIqrB/zvkgXifuOQWy2TtX 
 lc0oJPGUPZCb7cxNabGHEhlQuJadWCsRrWSvyb9rStv6Kc/jR4/KAl8NvAdVMo41 
 NGc6121tOHYbNm1AcNDq0y2NvcVMNTfMxnMQq1ybNEpRQXJwzMGqva4qPrtxmqRb 
 o/jCjZ0rwBU1UvQZSwp60q+zIUmF0OhxPhr4QSY2TKZA68NY1DHau2lvHTiEcO69 
 Lq4Kodu4W0IZRu4Dn+wYs32q7TBNlmTGdWPZgrZsx7UDSpTINwYSFWcKtkqW29Qz 
 GTAB5m/Gr/u5FrM7zx2gh+RUuAaZaMiY08nBqNwY3tVpqBmIK/TP1xkSJGYOAdWj 
 uDh9xjcDM3PjntfVqnnhk33np5JL9iNecGQ50up2JxaAW32AtkGlsI4uNpJR7YUu 
 OXfiae6Ve7q6M3oN5p2fvVVvOAAr0h84aruI+egueGsZn6xpkl45kViO7qQl3mIO 
 5itego2uoZKDl05QOlU3vJwojutU9u49RWisNX9sfWui+5ivA+0= 
 =oGRc 
 -----END PGP SIGNATURE----- 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)