[Secure-testing-team] False positives from daily report
Florian Weimer
fw at deneb.enyo.de
Sun Jun 25 10:54:22 UTC 2006
* Julien Goodwin:
> This should be listed as fixed for etch and sid as well from version
> 0.8.6d-1 (First version where adodb code removed from source tarball).
AFAICT, this has been fixed.
> Also:
> CVE-2006-0456 kernel: strlen_user() DoS on s390
> <http://idssi.enyo.de/tracker/CVE-2006-0456>
> - linux-headers-2.6.15-1-686-smp, linux-image-2.6-686-smp,
> linux-image-2.6.15-1-686-smp, linux-headers-2.6.15-1,
> linux-headers-2.6-686-smp
> Would be nice if arch-specific issues (rare as I'm sure they are) could
> be hidden if appropriate.
We usually track bugs by their source packages. Basically, there are
two reasons: The security team creates updates based on them, and
binary package names (and versions, or the source package they are
built from) can vary from architecture to architecture. I know that
this approach has drawbacks, but it's still rather brittle, and I want
to fix that before adding extensions to better deal with
architecture-specific vulnerabilities.
More information about the Secure-testing-team
mailing list