* Thijs Kinkhorst: >> Do we really want our users in unstable to think that they >> are affected by a problem while we don't know it? > > We know of these issues that at least some Debian release is known to be > affected. I think it is not good to wait until we have confirmed or > disfirmed every Debian release until we add some item to a specific > package. We often have a list of issues for a specific package of which we > do not know of every suite whether it is affected or not, this can be > added or updated later.
We also use the potential impact of issues to rate them, and do not restrict ourselves to the confirmed impact. For instance, a heap-based buffer overflow is usually deemed to be exploitable for code injection even if we haven't got a copy of an exploit proving this. From a user point of view, the misattribution to a non-vulnerable version has a similar effect. This might be a questionable policy, but virtually all the vendors who do disclose security vulnerabilities seem to follow the potential impact model (one of the latest high-profile converts was Cisco). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
