Dear Debian Team, via the security-tracker Debian provides information about the vulnerable and fixed package versions. However, I wanted to ask if the named vulnerable version is the version where the vulnerability was first identified or if it is the lowest number of a vulnerable package. Example: https://security-tracker.debian.org/tracker/CVE-2022-0330 buster
4.19.208-1 vulnerable fixed in 4.19.232-1 Is the vulnerability from >= 4.19.208-1 and < 4.19.232-1 Or is every version lower then the fixed version vulnerable (< 4.19.232-1) Thanks a lot. Kind regards. Kerstin Zuzej
