Hi folks, So I recently started running debsecan on one of my boxes. It's a fairly barebones server install, uses unattended-upgrades and is fully up-to-date. I expected a clean bill of health, but didn't get that. I got pages and pages and pages of output. Some of it (especially kernel related) I believe may be false positives, but not all. Some of it simply isn't patched yet.
Diving into it a bit, it seems that somehow we fell down a bit with stretch. The first hit on my list is this one: https://security-tracker.debian.org/tracker/CVE-2011-5325 Marked fixed in jessie, vulnerable in stretch. And indeed when looking at the bug report 802702, I don't see any such changelog entries pertaining to this in my stretch version. So, the questions - 1) Is this a symptom of a bad process or of not enough volunteers? In other words, could we have marked these security bugs fixed in jessie as RC for stretch somehow until they were also fixed there? 2) Is there a need for more help with security in general? If so, what kinds of volunteering would be appreciated? Thanks, John
