Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

["Thijs Kinkhorst" <thijs@debian.org>]

On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz <bernd@bzed.de> wrote:

>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to contain the openssl source.

> Last I checked, ia32-libs on squeeze didn't have the openssl patches for
> 0.9.8. I may have to check more thoroughly to be sure.

Yes. ia32-libs is usually only updated shortly before stable point
releases, so there's commonly a small delta of security updates that have
not been incorporated into it, yet. This is hence 'expected'.


Cheers,
Thijs