Andres Salomon wrote:
> Actually, that was the case for a while (before ubuntu's kernel team went
> on vacation, and I went on vacation). However, w/ all the vacations
> that have been happening, it hasn't been the case for a few months.
Well it sounds like the earlier suggestion to get Joey to feed vuln info
to someone on the kernel team (perhaps you for 2.6 and Horms for 2.4)
would be a good idea. Assuming he's been able to keep up with recent
kernel security holes.
> Unfortunately, we don't have any real database of vulnerabilties to ensure
> that they're fixed. I've been using
> http://people.ubuntu.com/~pitti/ubuntu-cve.html, but that's about it.
I hope you're aware of
http://newraff.debian.org/~joeyh/testing-security.html ? It's true that
this has the CVE lag built into it[1]. However it also has some unresolved
kernel security issues listed. We could probably autogenerate a list of
CANs of kernel holes that have not been verified to affect Debian
kernels yet, if that would be helpful.
--
see shy jo
[1] To some extent; if I see an advisory that mentions a CAN it will get
listed even if the CAN is still reserved.
Attachment:
signature.asc
Description: Digital signature