Steve Langasek wrote:
> Many thanks for tackling this.
>
> On Wed, Aug 11, 2004 at 10:42:03PM -0300, Joey Hess wrote:
> > We have now finished checking all the DSAs since woody's release, except
> > for a few that we didn't reach any conclusions on. That the following
> > DSAs seem to still be unfixed in sarge:
>
> > php4 4:4.3.8-1 needed, have 4:4.3.4-4 for DSA-531
> > netkit-telnet-ssl 0.17.24+0.1-2 needed, have 0.17.24+0.1-1 for DSA-529
> > pavuk (unfixed; bug #264684) for DSA-527
> > rlpr (unfixed; bug #255402) for DSA-524
> > lha 1.14i-8 needed, have 1.14i-2 for DSA-515
> > log2mail (unfixed; bug #264687) for DSA-513
> > mysql-dfsg 4.0.18-6 needed, have 4.0.18-5 for DSA-483
> > hsftp 1.15-1 needed, have 1.12-1 for DSA-447
> > trr19 (unfixed; bug #264702) for DSA-430
> > slocate (unfixed; bug #226103) for DSA-428
> > tomcat4 4.1.24-2 needed, have 4.0.4-4 for DSA-395
> > gtksee 0.5.6-1 needed, have 0.5.2-0.1 for DSA-337
> > tomcat4 4.1.16-1 needed, have 4.0.4-4 for DSA-225
>
> Hmm, do I understand right that the above is really the complete list of
> security fixes pending for sarge?
No, just the low-hanging fruit. As previously noted, this will miss:
- security holes that were not in woody (would need to scan all
CVE's to find)
- security bugs that did not get a CVE (but mdz says he's been
getting CVE's assigned for all security tagged bugs)
- security holes for which the security team has not yet issued a
DSA (mozilla problms come to mind)
- security holes fixed silently upstream (doh)
And also:
- security holes that were fixed at one point, but had the fix lost
due to new upstream versions, accidents, etc.
The next step would be to tackle all the CVEs, which is a much bigger job.
--
see shy jo
Attachment:
signature.asc
Description: Digital signature