Data quality issue with DEBIAN-CVE-2025-12428

[amita-seal]

For https://osv.dev/vulnerability/DEBIAN-CVE-2025-12428, under debian:11, there are versions that are for debian:12 and debian:13 listed as vulnerable, which doesn't make sense.

[amita-seal]

Hi @jess-lowe,
any estimate when this can be checked?
Thanks, appreciate it!

[michaelkedar]

Sorry for the delay on getting back to this.
From memory, there's not really a way to get the list of versions of a Debian package available on a specific Debian release version.
I believe OSV currently uses a heuristic to work out the allowed release versions, but I think that's only looking for suffixes starting with a + e.g. +deb11
We might be able to modify the heuristic & re-processes some records, but I think we should look for a more robust solution.
Unfortunately, the team doesn't really have the resources to be looking into this right now.