Hi Mike, thanks for your reply.
Michael Gilbert wrote: > etch is no longer supported, so any info there is very likely not up to > date. the etch entries need to be removed. i'll fix that at some point. OK. If the etch information is no longer updated even when it's known to be incorrect then I agree it should be removed. >> Finally, although 2.6.35-1~experimental.3 is described as fixed, I've >> now looked at the code and the LOAD_ARGS32 macro is still missing a >> setting of %eax so I believe it is still vulnerable. > >that's a limitation of the tracker since its based on unstable. >anything greater than unstables 2.6.32-23 will be considered fixed. I know pretty much nothing about how the tracker works or how difficult it would be to change it, but if we agree that a tool such as the tracker is only useful insofar as the information it gives is correct, then I think it follows that in cases where the assertion is not based on actual knowledge of the presence or absence of the vulnerability, but is instead based on a comparison of version numbers that doesn't take into account the genealogy of the versions, it would be better to make no assertion rather than risk making an incorrect one. That way, people consulting the tracker will know that in those cases they need to find out that information some other way in order to be sure. Thanks again. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
