Vassilii Khachaturov wrote:
(See also the bugs from the CC). I believe that Debian should be somehow put on the CERT vendor list: they give the vendors more advance warning on the security issues before they issue an advisory, allowing to issue an emergency patch. Does anybody on this list (debian-security) have any ties with CERT to do it?----- Original Message ----- From: "Ramon Kagan" <rkagan@yorku.ca>To: <debian-security@lists.debian.org> Sent: Monday, March 03, 2003 4:00 PM Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail (fwd)HI, I don't see Debian listed in the notification list at the bottom of the CERT Advisory. Is there any estimate on the release of patched sendmail packages? Ramon Kagan[snip]
I'm guessing that Debian is notified by CERT, since I have seen Debian listed in CERT advisories before. The last CERT Advisory I noticed that applied to Debian was the CA-2003-02 Double-Free Bug in CVS Server. The email announcement did include Debian.
The key is that the vendor responses are those recieved by CERT, so if Debian was notified (I assume that means CERT emailed someone on the security team, or some other semi-official Debian person) and didn't return a response yet, you won't see Debian in the Advisory email.
According to the advisories, CERT keeps updating the vendor portion of the advisory (http://www.cert.org/advisories/CA-2003-07.html) for this advisory), so I'd assume we'll see Debian listed there eventually.
--Rich _________________________________________________________ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: rpuhek@etnsystems.com _________________________________________________________