On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz
<bernd@bzed.de> wrote:
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify why it thinks it's found a code copy based on
> the source code being similar. It also tells you which source file has
> the vuln based on the CVE summary.
The ia32-libs stuff are all false positives (assuming the package was
updated after the security fixes came out, I'm not 100% sure about that
:) And the openssl source is expected to contain the openssl source.
Otherwise I think it might be worth to integraet such a check into the
qa tools Debian runs regularity.
Thanks for your work!
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F