The issue is why the CISA ADP container would choose to offer a (potentially misleading?) comment about version 8.2.0 given that the CNA did not directly mention that version. In a typical software engineering process, if release candidate 0 is unaffected then the objective is for the release to also be unaffected.
(Based on the QEMU downloads page, it seems likely that the last affected version that was released was 8.1.0.)
https://github.com/cisagov/vulnrichment/blob/3a926686c711572123b1d07749c09677c9afbb63/2023/1xxx/CVE-2023-1544.json#L50-L62 https://github.com/cisagov/vulnrichment/blob/3a926686c711572123b1d07749c09677c9afbb63/2023/1xxx/CVE-2023-1544.json#L150-L161 The CNA states that 8.2.0-rc0 has the status unaffected, but the CISA ADP states that version 8.2.0 has the status unknown.
https://bugzilla.redhat.com/show_bug.cgi?id=2180364#c3 (from the references) says:
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087
The 85fc35afa93c7320d1641d344d0c5dfbe341d087 code change is present in https://download.qemu.org/qemu-8.2.0.tar.xz and thus 8.2.0 would apparently be unaffected.
The issue is why the CISA ADP container would choose to offer a (potentially misleading?) comment about version 8.2.0 given that the CNA did not directly mention that version. In a typical software engineering process, if release candidate 0 is unaffected then the objective is for the release to also be unaffected.
(Based on the QEMU downloads page, it seems likely that the last affected version that was released was 8.1.0.)