[Secure-testing-team] Re: [Secure-testing-commits] r3297 - data/CVE

[Florian Weimer]

* Moritz Muehlenhoff:

>> Exactly.  This is why you should list the version which started
>> linking dynamically against poppler as the "fixed" version.  It is
>> more or less necessary if there ever will be a DSA released for this
>> issue.
>
> There'll be a DSA soon, but I fail to see why this should cause problems.
> - foo
> is after all nothing more than a short form for
> [sid] - foo

No, it isn't. 8-)

The former means "all versions, including those in various releases,
are vulnerable".  The latter means "only the sid release is
vulnerable".  debsecan relies heavily on that: The main decision is
controlled by the sid version, and an explicit list of fixed versions
on other branches is provided (to handle DSAs and DTSAs).  The
explicit list includes all known versions of this package (based on
all notes for the package, and what is available from the archive).

If you think we need complete independence of sid and the other
branches, we need a known-bad list for the release branches.
Unfortunately, this means that we need a complete list of all package
versions which have been ever published on a release branch (be it a
security update or not).  This list is not readily available, and I
only know how to construct it for sarge.

I plan to document all those tricky interactions some day, but I'm
currently busy with university stuff (and debsecan bugs have higher
priority anyway).