Re: questioning lenny's vulnerability to CVE-2010-3301
Hi Mike, thanks for your reply.
Michael Gilbert wrote:
> etch is no longer supported, so any info there is very likely not up to
> date. the etch entries need to be removed. i'll fix that at some point.
OK. If the etch information is no longer updated even when it's known
to be incorrect then I agree it should be removed.
>> Finally, although 2.6.35-1~experimental.3 is described as fixed, I've
>> now looked at the code and the LOAD_ARGS32 macro is still missing a
>> setting of %eax so I believe it is still vulnerable.
>
>that's a limitation of the tracker since its based on unstable.
>anything greater than unstables 2.6.32-23 will be considered fixed.
I know pretty much nothing about how the tracker works or how difficult
it would be to change it, but if we agree that a tool such as the tracker
is only useful insofar as the information it gives is correct, then I
think it follows that in cases where the assertion is not based on actual
knowledge of the presence or absence of the vulnerability, but is instead
based on a comparison of version numbers that doesn't take into account
the genealogy of the versions, it would be better to make no assertion
rather than risk making an incorrect one. That way, people consulting the
tracker will know that in those cases they need to find out that
information some other way in order to be sure.
Thanks again.
Reply to: