Understanding 'Versions known to be not vulnerable' in Security Advisories
Hallo,
I'm trying to understand the implications of the choice of vulnerable versions in F5 Networks Security Advisories. I frequently see entries like:
Product / Versions known to be vulnerable / Versions known to be not vulnerable
BIG-IP PSM / 11.4.0 - 11.4.1 / None
[https://support.f5.com/csp/article/K90803619]
So there are no fixes for this CVE in BIG-IP PSM 11.4.0 despite newer versions for BIG-IP PSM (12.1.2, 13.0.0) that are not listed as vulnerable.
My question aims at the logic for the column 'Versions known to be not vulnerable'. Are the versions listed there chosen only from the same branch of the versions listed as 'Versions known to be vulnerable'? Would You recommend a user of BIG-IP PSM 11.4.0 an upgrade to a version of another branch like 12.1.2 in this case?