I see on cve.mitre.org that OpenLDAP (slapd) package have plenty of vulnerabilities prior to 2.4.57.
If I want to install OpenLDAP from official repositories on my Debian 10, which version is slapd/oldstable,oldstable 2.4.47+dfsg-3+deb10u6 amd64.
Do the security patches for those CVE are backported to this 2.4.47 version, or do I have to take the latest release (2.6.x) from the offcial website, and install it from the source to get rid of those CVE ?
Thank you.
Usually packages are patched against security issues, regardless of their version. So if you see something like "A flaw was discovered in OpenLDAP before 2.4.57...", and you have 2.4.49 installed on your system, it doesn't necessarily (in most cases: it just doesn't) mean your server is vulnerable, provided, of course, your package came from the official Debian repository.
You can check if a package has a specific vulnerability patched on the Debian security bug tracker. There are links for checking the currently vulnerable packages, but you can search for a package or a CVE ID (at the bottom of the page), and check if a certain vulnerability is patched or not.
If you want to see a package, you should provide the source package, not the actual one you install. For example, for slapd, the source package is called openldap, so you should use that when listing vulnerabilities. The source of the given package can be queried with the following command:
apt-cache show (package) | grep Source:
