hi, On Sun, Nov 18, 2018 at 02:01:38PM +0100, Ola Lundqvist wrote: > What I did was to check CVE-2016-10729 and my conclusion that I cannot > reproduce the problem. (I havent looked at CVE-2016-10729.) > It may be so that the checks are not in place but there are obviously > something preventing the exploit to be reproducible. Either that or that > you have to be logged in as backup, which is not possible. can you reproduce the bug in sid or stretch? if so, I think you can conclude that the exploit really doesnt work on jessie. > My question to you is how to properly mark this vulnerability. Is it so > that it should be "undetermined" or should I mark it in some other way? see b990a51a15d in security-tracker.git for an example how to mark something as not affecting jessie. in short: <not-affected> which an explaination why. but only do this if you are really sure, else leave it at undetermined. -- cheers, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature