Gaps in security coverage?

To: debian-security@lists.debian.org
Subject: Gaps in security coverage?
From: John Goerzen <jgoerzen@complete.org>
Date: Mon, 05 Nov 2018 07:50:33 -0600
Message-id: <[🔎] 87pnvjfxau.fsf@complete.org>

Hi folks,

So I recently started running debsecan on one of my boxes.  It's a
fairly barebones server install, uses unattended-upgrades and is fully
up-to-date.  I expected a clean bill of health, but didn't get that.  I
got pages and pages and pages of output.  Some of it (especially kernel
related) I believe may be false positives, but not all.  Some of it
simply isn't patched yet.

Diving into it a bit, it seems that somehow we fell down a bit with
stretch.  The first hit on my list is this one:

https://security-tracker.debian.org/tracker/CVE-2011-5325

Marked fixed in jessie, vulnerable in stretch.  And indeed when looking
at the bug report 802702, I don't see any such changelog entries
pertaining to this in my stretch version.

So, the questions -

1) Is this a symptom of a bad process or of not enough volunteers?  In
other words, could we have marked these security bugs fixed in jessie as
RC for stretch somehow until they were also fixed there?

2) Is there a need for more help with security in general?  If so, what
kinds of volunteering would be appreciated?

Thanks,

John

Reply to:

Follow-Ups:
- Re: Gaps in security coverage?
  - From: Paul Wise <pabs@debian.org>
- Re: Gaps in security coverage?
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Next by Date: Re: Gaps in security coverage?
Next by thread: Re: Gaps in security coverage?
Index(es):
- Date
- Thread