How to find the Debian severity level for any particular cve?

[Shamak]

Is there a way to find the Debian Severity Level for any particular cve. For example, Mozilla has just released a fix for Firefox-esr and Thunderbird to CVE-2023-4863, rated by Mozilla as critical.

https://www.mozilla.org/en-US/security/ ... sa2023-40/

This is a zero day exploit.

https://www.bleepingcomputer.com/news/s ... n-attacks/

When I look at the Debian security tracker for the stable suite , in the urgency field for Firefox-esr and Thunderbird it just says "not yet assigned". In fact they all say "not yet assigned". (EDIT: Both Firefox-esr and Thunderbird have now been fixed.)

https://security-tracker.debian.org/tra ... ase/stable

If you look at the Debian security tracker for unstable you can see some "low" urgency ratings.

https://security-tracker.debian.org/tra ... e/unstable

The individual pages for CVE-2023-4863 and Firefox-esr don't say anything about the severity level.

https://security-tracker.debian.org/tra ... irefox-esr
https://security-tracker.debian.org/tra ... -2023-4863

One may think that Debian just haven't got to it yet but the same thing is true for previous cves. I would sometimes like to find the Debian severity level for previously fixed cves but there is generally not any mention of the Debian severity level although I have seen "unimportant" twice for open issues.

I have full faith in the Debian devs and am not worried. It's just something I would like to know from time to time.

[Aki]

Hello,

[..] I would sometimes like to find the Debian severity level for previously fixed cves but there is generally not any mention of the Debian severity level

You can see here:

• https://security-tracker.debian.org/tracker/

Security data are exposed in JSON file format, too:

• https://security-tracker.debian.org/tracker/data/json

The field "urgency" for each Debian release contains what I suppose you defined as "Debian severity level". It also contains the field "fixed_version".

[Shamak]

Thanks Aki! It seems that many still say "not yet assigned" including the zero day I mentioned in the OP. But it's more than I had before!

[Aki]

Thanks Aki! It seems that many still say "not yet assigned" including the zero day I mentioned in the OP. But it's more than I had before!

If you are referring to CVE-2023-4863, it is fixed in buster, bullseye, bookworm and sid (trixie is still affected, probably waiting that the package arrives from Sid); see:

• https://security-tracker.debian.org/tra ... irefox-esr

[Shamak]

Thanks. Yes, I understand this. I've been watching. As I said before I am not worried. This is just something I would like to know from time to time.

Mozilla labeled CVE-2023-4863 as critical.

https://www.mozilla.org/en-US/security/ ... sa2023-40/

Ubuntu has labeled CVE-2023-4863 as medium.

https://ubuntu.com/security/CVE-2023-4863

I would just have liked to know what Debian rated it as because this gives an idea of how serious Debian thought it was.

[debian-2019]

Thanks Aki! It seems that many still say "not yet assigned" including the zero day I mentioned in the OP. But it's more than I had before!

If you are referring to CVE-2023-4863, it is fixed in buster, bullseye, bookworm and sid (trixie is still affected, probably waiting that the package arrives from Sid); see:

• https://security-tracker.debian.org/tra ... irefox-esr

Firefox is fixed. But Chromium is still vulnerable.

[Shamak]

Firefox is fixed. But Chromium is still vulnerable.

If you look at the link that Aki posted, under chromium > CVE-2023-4863 > releases > bookworm the urgency says "unimportant". So I guess Chromium's good.

https://security-tracker.debian.org/tracker/data/json

[debian-2019]

Firefox is fixed. But Chromium is still vulnerable.

If you look at the link that Aki posted, under chromium > CVE-2023-4863 > releases > bookworm the urgency says "unimportant". So I guess Chromium's good.

https://security-tracker.debian.org/tracker/data/json

If you also notice the section header, its says...
The information below is based on the following data on fixed versions..

The "unimportant" remark refers to the fixed version of Chrome present on the sid (unstable) version.

[Shamak]

Is this the page you're referring to?

https://security-tracker.debian.org/tra ... -2023-4863

I'm not looking at that page. I'm looking at the json. It's the second link in Aki's first post on this thread.

https://security-tracker.debian.org/tracker/data/json

You can also get there by going to the Debian Security Bug Tracker and clicking on the last link "All information in JSON format".

[debian-2019]

The Chromium fix is now available for Bookworm (Version 117.0.5938.62). Thanks to the Debian team!

[Shamak]

I thought that was going to fix it too but it seems not to have.

https://security-tracker.debian.org/tra ... e/chromium

[debian-2019]

I thought that was going to fix it too but it seems not to have.

https://security-tracker.debian.org/tra ... e/chromium

You can tell that tracker page is not up-to-date, because it still refers to the older version 116.0.5845.187.

[Shamak]

It seems up to date because all the other bugs got fixed in Bookworm as they were supposed to.

My guess is that's the official description of the bug as it says here.

https://security-tracker.debian.org/tra ... -2023-4863

This page also says that version 117.0.5938.62-1~deb12u1 is vulnerable in Bookworm (security).

Anyway, that's all I've got. I'll give you the last word.