CVE-2023-38545 security fix not listed on NVD databse
Amar Adadande
Here we are reaching out to bring to your attention a critical issue [CVE-2023-38545] that requires immediate attention. It has come to our notice that the recent fixes implemented in Debian as mentioned on tracker (https://security-tracker.debian.org/tracker/CVE-2023-38545) have not yet been updated in the National Vulnerability Database (NVD).
This lack of synchronization poses a potential risk to our system's security, as the NVD is a crucial resource for assessing and addressing vulnerabilities. The timely update of security information is paramount to ensuring the integrity and safety of our systems.
I kindly request your assistance in expediting the process of updating the Debian fixes in the NVD database. It is essential that the latest information is made available to the security community and organizations relying on this database for vulnerability management.
Amar Adadande
Moritz Mühlenhoff
> As part of our organization's security measures, we regularly conduct
> security scans using the National Vulnerability Database (NVD). We have
> noticed that the NVD database used by Debian may not be up to date with the
> latest vulnerabilities.
You seem to be mistaken. We don't use the NVD database for anything and
triage vulnerabilities ourselves.
If any external provider (like apparently the security feed you seem to
be using) uses incorrect/stale data which differs from what we publish
via the Debian Security Tracker you should report this disprepancy to
them, not us.
If you believe to have found incorrect, please see here:
https://security-tracker.debian.org/tracker/data/report
Cheers,
Moritz