[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working for wheezy-security until wheezy-lts starts

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> I am not aware of any such tool. How did you do the following comparison
> - by hand?

Yes, I did.

What I imagine is having same tool that will look at an input file
(e.g. debian/changelog) and find everything that looks like a CVE, and
then compare against distribution X in

Of course, might be worth waiting to see what happens to CVEs first.

>> Not fixed in backported Ubuntu precise version
>>     - CVE-2014-5146 (marked No DSA)
>>     - CVE-2014-5149 (marked No DSA)
>>     - CVE-2014-8104 (marked vulnerable; description says "Linux kernel
>>     through 4.2.6" not sure if this means it is fixed or broken by 4.2.6)
>>     - CVE-2014-8341 (marked No DSA)
> 2014-8104 is probably a typo, as it concerns OpenVPN according to the
> security tracker. You probably mean CVE-2015-8104...

Yes, that looks like a typo. Thanks for the correction.

> That is an impressive list, and it does seem like we should merge our
> efforts with Ubuntu here!

Brian May <bam@debian.org>

Reply to: