Antoine Beaupré <anar...@orangeseeds.org> writes: > I am not aware of any such tool. How did you do the following comparison > - by hand?
Yes, I did. What I imagine is having same tool that will look at an input file (e.g. debian/changelog) and find everything that looks like a CVE, and then compare against distribution X in https://security-tracker.debian.org/tracker/CVE-2015-8104 Of course, might be worth waiting to see what happens to CVEs first. >> Not fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10: >> - CVE-2014-5146 (marked No DSA) >> - CVE-2014-5149 (marked No DSA) >> - CVE-2014-8104 (marked vulnerable; description says "Linux kernel >> through 4.2.6" not sure if this means it is fixed or broken by 4.2.6) >> - CVE-2014-8341 (marked No DSA) > > 2014-8104 is probably a typo, as it concerns OpenVPN according to the > security tracker. You probably mean CVE-2015-8104... Yes, that looks like a typo. Thanks for the correction. > That is an impressive list, and it does seem like we should merge our > efforts with Ubuntu here! Agreed. -- Brian May <b...@debian.org>