hi,
On Sun, Nov 18, 2018 at 02:01:38PM +0100, Ola Lundqvist wrote:
> What I did was to check CVE-2016-10729 and my conclusion that I cannot
> reproduce the problem.
(I havent looked at CVE-2016-10729.)
> It may be so that the checks are not in place but there are obviously
> something preventing the exploit to be reproducible. Either that or that
> you have to be logged in as backup, which is not possible.
can you reproduce the bug in sid or stretch?
if so, I think you can conclude that the exploit really doesnt work on
jessie.
> My question to you is how to properly mark this vulnerability. Is it so
> that it should be "undetermined" or should I mark it in some other way?
see b990a51a15d in security-tracker.git for an example how to mark
something as not affecting jessie. in short: <not-affected> which an
explaination why.
but only do this if you are really sure, else leave it at undetermined.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature