On Thursday, February 01, 2018 01:03:29 AM Matija Nalis wrote: > nor does debian security tracker list the updates as available for > jessie/stretch: > https://security-tracker.debian.org/tracker/source-package/clamav > > (security-tracked does say in hover text that jessie > "gets updated via -updates", so it should pick that up) > > it correctly reports wheezy, buster and sid as fixed. > > for example, see also > https://security-tracker.debian.org/tracker/CVE-2017-12376 > > this looks to me also like something that should be fixed (somewhere)?
By design, the security tracker doesn't consider things 'fixed' in stable via updates until after it's included in a Debian point release. I agree it's not totally clear, but the way it's working is what the security team intends. Scott K