OSV debian affected or not

[dioxygene]

hi
i have the version 4.11.0 of DT.

i have a component :

and this vulnerability is raised :

the affected component of the vulnerability

the debian bulletin https://security-tracker.debian.org/tracker/DSA-5123-1

as we can see the version 5.2.4-1+deb10u1 fixe the issue.

could you tell me if it's an OSV issue or a DT issue ?

thanks

[nscuro]

This is likely a bug in DT. Without having tested this particular constellation, I think the <5.2.5-2.1~deb11u1 is what's getting matched here.

DT's current version comparison is generic and unable to detect the various ins and outs of ecosystem-specific versioning. #2826 would help to address that.

[dioxygene]

Thanks for your answers