Where do you find the known patch? It seems CVE descriptions and references don't usually go into that level of detail.
On Tue, Jul 26, 2011 at 3:17 PM, Michael Gilbert < [email protected]> wrote: > Moritz Mühlenhoff wrote: > > > On Tue, Jul 26, 2011 at 02:57:37PM -0700, Johnathan Ritzi wrote: > > > As a followup: what amount of "checking" should be done before marking > an > > > issue as fixed? Is a changelog entry by the maintainer saying that > CVE/bug > > > has been fixed enough? Or do people on this list research the > vulnerability > > > itself, check the code, and confirm that the patch actually fixes the > issue > > > (regardless of claims by the maintainer)? > > > > Everyone is encouraged to double-check the patches, which have been > applied, > > but in general a changelog entry from the maintainer is sufficient. > > I always check the vulnerable code against a known patch, and I think > that should be the modus operandi. Seeing a CVE number in a changelog > should not be sufficient. > > I'm not saying that Debian maintainers aren't trustworthy, but simply > that we all make mistakes, and its important to be able to catch those > mistakes via peer review. > > Best wishes, > Mike > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: > http://lists.debian.org/[email protected] > >
