Florian Weimer wrote: > I intend to send a real debsecan announcement to debian-devel and > debian-security. A draft is included below. Comments are > appreciated.
Before bringing this to a wider audience more false positives and non-issues should be weeded out (or at least document it very clearly that most are theoretical issues, that do not affect your system's security in a real-world situation, e.g. by setting the display default to >= medium). E.g. the first four entries in the list of "vulnerabilities w/o updates" for my notebook are all more or less moot: CVE-2004-0175 Directory traversal vulnerability in scp for OpenSSH... <http://idssi.enyo.de/tracker/CVE-2004-0175> - ssh, openssh-server, openssh-client (remotely exploitable) CVE-2004-1617 Lynx allows remote attackers to cause a denial of... <http://idssi.enyo.de/tracker/CVE-2004-1617> - lynx (remotely exploitable, low urgency) CVE-2004-2531 X.509 Certificate Signature Verification in Gnu... <http://idssi.enyo.de/tracker/CVE-2004-2531> - libgnutls11 (remotely exploitable, low urgency) CVE-2005-0406 A design flaw in image processing software that... <http://idssi.enyo.de/tracker/CVE-2005-0406> - libmagick9, imagemagick (low urgency) Cheers, Moritz _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
