Andres Salomon wrote: > Actually, that was the case for a while (before ubuntu's kernel team went > on vacation, and I went on vacation). However, w/ all the vacations > that have been happening, it hasn't been the case for a few months.
Well it sounds like the earlier suggestion to get Joey to feed vuln info to someone on the kernel team (perhaps you for 2.6 and Horms for 2.4) would be a good idea. Assuming he's been able to keep up with recent kernel security holes. > Unfortunately, we don't have any real database of vulnerabilties to ensure > that they're fixed. I've been using > http://people.ubuntu.com/~pitti/ubuntu-cve.html, but that's about it. I hope you're aware of http://newraff.debian.org/~joeyh/testing-security.html ? It's true that this has the CVE lag built into it[1]. However it also has some unresolved kernel security issues listed. We could probably autogenerate a list of CANs of kernel holes that have not been verified to affect Debian kernels yet, if that would be helpful. -- see shy jo [1] To some extent; if I see an advisory that mentions a CAN it will get listed even if the CAN is still reserved.
signature.asc
Description: Digital signature
