[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

Last I checked, ia32-libs on squeeze didn't have the openssl patches for 0.9.8. I may have to check more thoroughly to be sure. It might have some other vulns as well.


On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz <bernd@bzed.de> wrote:
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify why it thinks it's found a code copy based on
> the source code being similar. It also tells you which source file has
> the vuln based on the CVE summary.

The ia32-libs stuff are all false positives (assuming the package was
updated after the security fixes came out, I'm not 100% sure about that
:) And the openssl source is expected to contain the openssl source.

Otherwise I think it might be worth to integraet such a check into the
qa tools Debian runs regularity.

Thanks for your work!



 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Reply to: