[Secure-testing-team] Relevance of
http://www.debian.org/security/nonvulns-sarge
Moritz Muehlenhoff
jmm at inutil.org
Sun Feb 11 17:56:33 UTC 2007
Helge Kreutzmann wrote:
> Hello,
> reading the security annoucements on lwn.net, I've noticed for a while
> that lots of software does not have a DSA, nor are the CVEs mentioned
> on http://www.debian.org/security/nonvulns-sarge. I've compiled a list
> of roundabout 60 CVEs which *might* apply to Sarge / Etch and started
> checking them. I noticed, however, that those checks seemed to be
> performed already, e.g. on
>
> http://idssi.enyo.de/tracker/CVE-2007-0247
You're invited to continue such efforts directly in the Security Tracker:
http://security-tracker.debian.net/tracker/
http://security-tracker.debian.net/tracker/data/report
http://security-tracker.debian.net/tracker/data/report
> I see a note:
> "[sarge] - squid <not-affected> (Vulnerable code not present)"
>
> So why is this not mentioned in
> http://www.debian.org/security/nonvulns-sarge which would be the most
> natural place to look for vulnerabilities in a stable release?
In the mid-term we could probably phase out above URL completely.
Florian, when you find the time please implement a web overview which
only presents a list of not-affected issues.
> My intention was to compile a list of entries for the nonvulns list
> and either ask Joey to insert them or do it myself (I've commit
> access, though I would not write there without permission /
> coordination).
Feel free to feed in the necessary information into webwml, I lack the
time to do so.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list