[Secure-testing-team] Relevance of http://www.debian.org/security/nonvulns-sarge

Helge Kreutzmann debian at helgefjell.de
Sat Feb 10 15:41:03 UTC 2007


Hello,
reading the security annoucements on lwn.net, I've noticed for a while
that lots of software does not have a DSA, nor are the CVEs mentioned
on http://www.debian.org/security/nonvulns-sarge. I've compiled a list
of roundabout 60 CVEs which *might* apply to Sarge / Etch and started
checking them. I noticed, however, that those checks seemed to be
performed already, e.g. on 

http://idssi.enyo.de/tracker/CVE-2007-0247

I see a note:
"[sarge] - squid <not-affected> (Vulnerable code not present)"

So why is this not mentioned in
http://www.debian.org/security/nonvulns-sarge which would be the most
natural place to look for vulnerabilities in a stable release?

My intention was to compile a list of entries for the nonvulns list
and either ask Joey to insert them or do it myself (I've commit
access, though I would not write there without permission /
coordination).

I would be glad for a clarification and thanks for your work /
http://idssi.enyo.de/.

Greetings

            Helge
-- 
      Dr. Helge Kreutzmann                     debian at helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070210/66ee9d89/attachment.pgp


More information about the Secure-testing-team mailing list