Vulnerability does not acknowledge fixed version

Hello Community,

I have the vulnerability debian-cve-2020-8616 in my environment. Found on a Debian 12 running bind9 “1:9.10.3.dfsg.P4-12.3+deb9u12”. tells me, that bind9 is vulnerable between 9.0.0 → 9.11.18 BUT the Debian people say it is fixed in “1:9.10.3.dfsg.P4-12.3+deb9u6”.

How should I deal with this situation? Should I report it as false positive?

Kind Regards



The 1:9.10.3xxxx fix applies to “Stretch” which is Debian 9.

You are running on Debian 12 “Bookworm”, which has the different fix version.

This is a common area for confusion as patches get backported into different versions with corresponding OS version.

1 Like

Turns out the finding was corrent!

The system had obsolete packages which where not patched by apt. Maybe caused by a dist-upgrade.

apt list ~o
apt purge ~o