Hi Florian, Thank you for your prompt reply. I am a little bit confused with the description may be of what obsolete is. (and there is a type in man page pacakge -> package)
I thought that
apt-get install `debsecan --suit sid --format packages --only-fixed`
would install the packages which have security vulnerabilities and which
are outdated on the system (ie there is freshier version binary package
available from
the debian repository), but it says that many packages " is already the
newest version" and they are marked as obsolete (so for my purpose
really I need to use --no-obsolete)
And man page says about obsolete
"This means that the binary package in question has been removed from the
archive."
Which has quite a different meaning from debsecan perspective of view:
debsecan lists packages as obsolete even when they not removed from the archive
but
are just not present in archive with required fresh binary version. Proper word
for
such packaged would be "outdated" or "not-built" I believe or something like it
For instance
CVE-2005-3352 (fixed, remotely exploitable, low urgency)
Cross-site scripting (XSS) vulnerability in the mod_imap module of ...
installed: apache-utils 1.3.33-8
(built from apache 1.3.33-8)
package is obsolete
fixed in unstable: apache 1.3.34-2 (source package)
fix is available for the selected suite (sid)
So descrimination between
1. obsolete: packages which have vulnerabilities and are not
available from the archive at all in any version for a given suite --
removed from the archive, so no "fixed in unstable.*(source package)"
for them I believe
2. not-built (or some better name): fresh source is available with no
binaries yet available from the archive (mirror). Then option
--no-not-built would help
Such descrimination sounds reasonable to me and would help to provide
relevant information for the administrator on what updates he can
currently perform.
Thank you in advance for any feedback
And Thank you very much for your work
On Thu, Jan 19, 2006 at 09:00:26AM +0100, Florian Weimer wrote:
> > I am sorry to bother you but I am really curious if you are going to
> > implement "availability check" in debsecan? if so, then how soon since I
> > am waiting for this feature holding my breath ;-)
> This should have been fixed in:
> ------------------------------------------------------------------------
> r3122 | fw | 2005-12-22 11:19:06 +0100 (Thu, 22 Dec 2005) | 4 lines
> lib/python/security_db.py (DB.calculateDebsecan):
> Check that a fixed package is actually available in sid, and do not
> trust the list files.
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
pgp3M9w1gSDfI.pgp
Description: PGP signature
