[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: final report on all woody DSAs and sarge

Steve Langasek wrote:
> Many thanks for tackling this.
> On Wed, Aug 11, 2004 at 10:42:03PM -0300, Joey Hess wrote:
> > We have now finished checking all the DSAs since woody's release, except
> > for a few that we didn't reach any conclusions on. That the following
> > DSAs seem to still be unfixed in sarge:
> > php4 4:4.3.8-1 needed, have 4:4.3.4-4 for DSA-531
> > netkit-telnet-ssl 0.17.24+0.1-2 needed, have 0.17.24+0.1-1 for DSA-529
> > pavuk (unfixed; bug #264684) for DSA-527
> > rlpr (unfixed; bug #255402) for DSA-524
> > lha 1.14i-8 needed, have 1.14i-2 for DSA-515
> > log2mail (unfixed; bug #264687) for DSA-513
> > mysql-dfsg 4.0.18-6 needed, have 4.0.18-5 for DSA-483
> > hsftp 1.15-1 needed, have 1.12-1 for DSA-447
> > trr19 (unfixed; bug #264702) for DSA-430
> > slocate (unfixed; bug #226103) for DSA-428
> > tomcat4 4.1.24-2 needed, have 4.0.4-4 for DSA-395
> > gtksee 0.5.6-1 needed, have 0.5.2-0.1 for DSA-337
> > tomcat4 4.1.16-1 needed, have 4.0.4-4 for DSA-225
> Hmm, do I understand right that the above is really the complete list of
> security fixes pending for sarge?

No, just the low-hanging fruit. As previously noted, this will miss:

        - security holes that were not in woody (would need to scan all
          CVE's to find)
        - security bugs that did not get a CVE (but mdz says he's been
          getting CVE's assigned for all security tagged bugs)
        - security holes for which the security team has not yet issued a
          DSA (mozilla problms come to mind)
        - security holes fixed silently upstream (doh)

And also:

	- security holes that were fixed at one point, but had the fix lost
	  due to new upstream versions, accidents, etc.

The next step would be to tackle all the CVEs, which is a much bigger job.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: