Re: working for wheezy-security until wheezy-lts starts

To: Antoine Beaupré <anarcat@orangeseeds.org>, Moritz Muehlenhoff <jmm@inutil.org>
Cc: Guido Günther <agx@sigxcpu.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: working for wheezy-security until wheezy-lts starts
From: Brian May <bam@debian.org>
Date: Sat, 26 Mar 2016 16:24:05 +1100
Message-id: <[🔎] 87y49524ne.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87d1qk7x01.fsf@angela.anarcat.ath.cx>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <[🔎] 20160303175559.GA22478@pisco.westfalen.local> <[🔎] 87y49n9qvo.fsf@prune.linuxpenguins.xyz> <[🔎] 20160313115209.GA6851@bogon.m.sigxcpu.org> <[🔎] 87fuvrw19o.fsf@prune.linuxpenguins.xyz> <[🔎] 20160316074449.GB30392@inutil.org> <[🔎] 8760wmx36x.fsf@prune.linuxpenguins.xyz> <[🔎] 874mbzo3i2.fsf@prune.linuxpenguins.xyz> <[🔎] 871t73o20n.fsf@prune.linuxpenguins.xyz> <[🔎] 87d1qk7x01.fsf@angela.anarcat.ath.cx>

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> I am not aware of any such tool. How did you do the following comparison
> - by hand?

Yes, I did.

What I imagine is having same tool that will look at an input file
(e.g. debian/changelog) and find everything that looks like a CVE, and
then compare against distribution X in
https://security-tracker.debian.org/tracker/CVE-2015-8104

Of course, might be worth waiting to see what happens to CVEs first.

>> Not fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10:
>>     - CVE-2014-5146 (marked No DSA)
>>     - CVE-2014-5149 (marked No DSA)
>>     - CVE-2014-8104 (marked vulnerable; description says "Linux kernel
>>     through 4.2.6" not sure if this means it is fixed or broken by 4.2.6)
>>     - CVE-2014-8341 (marked No DSA)
>
> 2014-8104 is probably a typo, as it concerns OpenVPN according to the
> security tracker. You probably mean CVE-2015-8104...

Yes, that looks like a typo. Thanks for the correction.

> That is an impressive list, and it does seem like we should merge our
> efforts with Ubuntu here!

Agreed.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Guido Günther <agx@sigxcpu.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
Next by Date: Re: Xen security updates on Wheezy
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: Re: Wiki update LTS/Using and EOL announcement
Index(es):
- Date
- Thread