Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz <firstname.lastname@example.org> wrote:
>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to contain the openssl source.
> Last I checked, ia32-libs on squeeze didn't have the openssl patches for
> 0.9.8. I may have to check more thoroughly to be sure.
Yes. ia32-libs is usually only updated shortly before stable point
releases, so there's commonly a small delta of security updates that have
not been incorporated into it, yet. This is hence 'expected'.