Re: questioning lenny's vulnerability to CVE-2010-3301
Michael Gilbert wrote:
> i think an appropriate fix is to eliminate this assumption in the
> experimental version checking, which will force a lot of experimental
> info to be entered manually.
Hi Mike,
I wouldn't want to force extra manual work - I was thinking that if
nobody had yet established the vulnerability of a particular version,
the tracker could simply say so, e.g. "Status: unknown", or it could
say "Status: assumed fixed" but with a note about how that assumption
was made, in this case by a comparison of version numbers. I think
it would be a logical extension of the existing table that specifies
what "The information above is based on". We would then manually
override that automatic status whenever we knew better.
I wonder if there are better heuristics than comparing version
numbers that would allow us to make assertions that are more likely
to be right - perhaps based on knowledge of the genealogy of versions
such as might already be stored in Debian's bug tracking system.
If I find time to look at the code and make more concrete suggestions
for improvement I will let you know.
Cheers.
Reply to: