On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: > On this machine, it found 472 vulnerabilities. Quite a few of them fit > into the remotely exploitable, high urgency category. Many date back to > last year, some as far back as 2012. I've included a few examples at > the end.
I'm not sure what your approach to counting is, but if it is simply "debsecan | wc -l" then you are sorely over-counting, not to mention that vulnerability counting itself is a road to madness: https://www.blackhat.com/us-13/briefings.html#Martin On the over-counting topic, since security issues are tracked by source package, debsecan can show up to 7 different binary packages or more affected by the same CVE (for example util-linux, krb5). Also, if you've set up multi-arch, debsecan will show the same CVE separately for i386 and amd64 (that's a bug by the way). > Now, it is possible with some of these that the security-tracker > database ought to be updated to reflect that there is not a true > vulnerability. However, many of them seem to be existing issues that > just got forgotten somehow. I've traced a few through bug reports and such. If you follow the secure-testing-commits list for a day, you'll see the herculean effort the security team puts in to keeping up with the constant deluge of new and ongoing security issues: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits So to suggest that not enough is being done is disingenuous and insulting. > Are we already aware of these issues? If it's in the security tracker, then of course it is known. > Do we have plans to fix them? Of course everything is intended to be fixed, but without a sufficient number of interested volunteers doing that, how is it supposed to happen? > Do we know what would be helpful to fix them? More volunteers actually doing the hard and constant day to day work that is security upkeep. Fewer distracting and obviously ill-researched blog and mailing list posts would also be nice. Best wishes, Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/CANTw=mothu8uhqcw75agy110sxm8c5jjpeznbesugsmytqu...@mail.gmail.com
