Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify why it thinks it's found a code copy based on
> the source code being similar. It also tells you which source file has
> the vuln based on the CVE summary.
The ia32-libs stuff are all false positives (assuming the package was
updated after the security fixes came out, I'm not 100% sure about that
:) And the openssl source is expected to contain the openssl source.
Otherwise I think it might be worth to integraet such a check into the
qa tools Debian runs regularity.
Thanks for your work!
Bernd Zeimetz Debian GNU/Linux Developer
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F