Comment 0 for bug 2012327

When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.

An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:

$ ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json
Loading /home/steve/git/cve_trackers/debian-security-tracker/data/CVE/list ...
Loading nvdcve-1.1-2021.json ...
 97% [==================================================================================================== ] 130438317 ETA: 0:00:00

***********************************************************************
 CVE-2021-46877 (1/1: 100%)
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
***********************************************************************
 Published: 2023-03-18 22:15:00 UTC
 MISC: https://github.com/FasterXML/jackson-databind/issues/3328
 MISC: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw

======================== CVE details ==========================
 CVE-2021-46877
 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

======================= Debian details ========================
 Debian CVE Tracker: FOUND
        NOTE: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
        NOTE: https://github.com/FasterXML/jackson-databind/issues/3328
        NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
        NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
  Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
    Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-updates/universe
    Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
    Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
    Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
    Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe

A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]

# This results in the following CVE file generated:

  Candidate: CVE-2021-46877
  PublicDate: 2023-03-21
  References:
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
   https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
   https://github.com/FasterXML/jackson-databind/issues/3328
   https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
   https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
  Description:
   jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
   2.13.1 allows attackers to cause a denial of service (2 GB transient heap
   usage per read) in uncommon situations involving JsonNode JDK
   serialization.
  Ubuntu-Description:
  Notes:
  Mitigation:
  Bugs:
  Priority: untriaged
  Discovered-by:
  Assigned-to:
  CVSS:

  Patches_jackson-databind:
  upstream_jackson-databind: released (2.13.2.2-1)
  trusty_jackson-databind: ignored (out of standard support)
  xenial_jackson-databind: ignored (out of standard support)
  bionic_jackson-databind: needs-triage
  focal_jackson-databind: needs-triage
  jammy_jackson-databind: needs-triage
  kinetic_jackson-databind: not-affected (2.13.2.2-1)
  trusty/esm_jackson-databind: not-affected
  esm-apps/xenial_jackson-databind: not-affected
  esm-apps/bionic_jackson-databind: not-affected
  esm-apps/focal_jackson-databind: not-affected
  esm-apps/jammy_jackson-databind: not-affected
  devel_jackson-databind: not-affected

Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected.