Re: [Secure-testing-commits] r7942 - data/CVE
Hi, * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-01-16 23:42]: > Author: jmm-guest > Date: 2008-01-16 17:57:08 + (Wed, 16 Jan 2008) > New Revision: 7942 > > Modified: >data/CVE/list > Log: > maxdb is in the archive, marked as unfixed for now, didn't check further Is this the same maxdb? I wonder because it says SAP maxdb and also the advisory is linking the SAP homepage as vendor site while the description of the maxdb package in debian references a mysql.com site. That's why I marked this as NFU. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpswbYSQ0ulv.pgp Description: PGP signature
Re: [Secure-testing-commits] r7940 - data/CVE
On Wed, Jan 16, 2008 at 02:08:31PM +0100, Nico Golde wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-01-16 13:54]: > > Author: thijs > > Date: 2008-01-16 12:50:31 + (Wed, 16 Jan 2008) > > New Revision: 7940 > > > > Modified: > >data/CVE/list > > Log: > > do some more shifting on wordpress issues, associate them with the > > wordpress package, discard some irrelevant ones. Have checked none > > with lenny/sid, that needs to happen still. > > Do we really want our users in unstable to think that they > are affected by a problem while we don't know it? We err on the safe side. That's also how all entries for the stable overview are generated: they're all implicitly treated as affected unless explicitly marked as . Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Secure-testing-commits] r7940 - data/CVE
* Thijs Kinkhorst: >> Do we really want our users in unstable to think that they >> are affected by a problem while we don't know it? > > We know of these issues that at least some Debian release is known to be > affected. I think it is not good to wait until we have confirmed or > disfirmed every Debian release until we add some item to a specific > package. We often have a list of issues for a specific package of which we > do not know of every suite whether it is affected or not, this can be > added or updated later. We also use the potential impact of issues to rate them, and do not restrict ourselves to the confirmed impact. For instance, a heap-based buffer overflow is usually deemed to be exploitable for code injection even if we haven't got a copy of an exploit proving this. From a user point of view, the misattribution to a non-vulnerable version has a similar effect. This might be a questionable policy, but virtually all the vendors who do disclose security vulnerabilities seem to follow the potential impact model (one of the latest high-profile converts was Cisco). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Secure-testing-commits] r7940 - data/CVE
On Wed, January 16, 2008 14:08, Nico Golde wrote: >> do some more shifting on wordpress issues, associate them with the >> wordpress package, discard some irrelevant ones. Have checked none with >> lenny/sid, that needs to happen still. > > Do we really want our users in unstable to think that they > are affected by a problem while we don't know it? We know of these issues that at least some Debian release is known to be affected. I think it is not good to wait until we have confirmed or disfirmed every Debian release until we add some item to a specific package. We often have a list of issues for a specific package of which we do not know of every suite whether it is affected or not, this can be added or updated later. I'd rather have a complete list of possible issues for a package, so someone that is going to work on that package has an overview of all currently known CVE id's, than to add things only when we're 100% sure. We do this all the time for our stable and oldstable users: some package with a fixed unstable version is added, and it is then shown as "vulnerable" in stable/oldstable. A while later someone adds information that stable/oldstable is not affected. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Secure-testing-commits] r7940 - data/CVE
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-01-16 13:54]: > Author: thijs > Date: 2008-01-16 12:50:31 + (Wed, 16 Jan 2008) > New Revision: 7940 > > Modified: >data/CVE/list > Log: > do some more shifting on wordpress issues, associate them with the > wordpress package, discard some irrelevant ones. Have checked none > with lenny/sid, that needs to happen still. Do we really want our users in unstable to think that they are affected by a problem while we don't know it? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpTdhrGR3Bza.pgp Description: PGP signature
Re: show DTSAs as fixed even without CVE ids
* Nico Golde: > Any way to workaround this? There used to be a FIXED-BY: directive, but it was deemed to be redundant to the CVE references. Back then, we agreed to drop it because this corner case was not important enough. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]