Frédéric PICA wrote:
Ok, so the problem remains the same for me. It's possible that a package get updated for a security reason while being in the stable channel. This is contradictory with the security FAQ. Is there another way (for a program) to get the type of a package ? A special way to access the security tracker (RPC, ...) ??
May be debsecan is suitable for you? Description: Debian Security Analyzer debsecan is a tool to generate a list of vulnerabilities which affect a particular Debian installation. debsecan runs on the host which is to be checked, and downloads vulnerability information over the Internet. It cansend mail to interested parties when new vulnerabilities are discovered or when
security updates become available. Regards, Riku
Thanks, Frédéric PICA 2008/7/28 Steffen Joeris <steffen.joeris@skolelinux.de>:Hi Frederic On Mon, 28 Jul 2008 11:54:55 pm you wrote:Ok, so this one : ----------------------------------- proftpd-dfsg (1.3.0-19etch1) stable; urgency=low * [SECURITY] Added patch auth_cache.dpatch. It fixes CVE-2007-2165. -- Francesco Paolo Lovergine <frankie@debian.org> Tue, 15 Jan 2008 11:50:31 +0100 ----------------------------------- should have been in the security channel, and not in stable. So this is an "error" of the package maintainer and should be an isolate case, right ?Nope, this was a minor issue according to the tracker and thus it got fixed in a point release. CVE ids are not only for major issues, but for all sorts of security issues. Cheers Steffen