Re: questioning lenny's vulnerability to CVE-2010-3301

To: debian-security-tracker@lists.debian.org
Subject: Re: questioning lenny's vulnerability to CVE-2010-3301
From: moog <moog@sysdev.oucs.ox.ac.uk>
Date: Thu, 23 Sep 2010 15:17:57 +0100
Message-id: <[🔎] 4C9B6195.3090703@sysdev.oucs.ox.ac.uk>
In-reply-to: <[🔎] 20100920142704.8055cd61.michael.s.gilbert@gmail.com>
References: <[🔎] 20100920142704.8055cd61.michael.s.gilbert@gmail.com>

Michael Gilbert wrote:
> i think an appropriate fix is to eliminate this assumption in the
> experimental version checking, which will force a lot of experimental
> info to be entered manually.

Hi Mike,

I wouldn't want to force extra manual work - I was thinking that if
nobody had yet established the vulnerability of a particular version,
the tracker could simply say so, e.g. "Status: unknown", or it could
say "Status: assumed fixed" but with a note about how that assumption
was made, in this case by a comparison of version numbers.  I think
it would be a logical extension of the existing table that specifies
what "The information above is based on".  We would then manually
override that automatic status whenever we knew better.

I wonder if there are better heuristics than comparing version
numbers that would allow us to make assertions that are more likely
to be right - perhaps based on knowledge of the genealogy of versions
such as might already be stored in Debian's bug tracking system.

If I find time to look at the code and make more concrete suggestions
for improvement I will let you know.

Cheers.

Reply to:

References:
- Re: questioning lenny's vulnerability to CVE-2010-3301
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Bug#597752: mahara: embedded code copies
Next by Date: DSA-2114-1 vs. tracker
Previous by thread: Re: questioning lenny's vulnerability to CVE-2010-3301
Next by thread: CVE-identifier for dovecot Maildir ACL issue (CVE-2010-3304)
Index(es):
- Date
- Thread