[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Gaps in security coverage?

On 06/11/2018 02:34, Paul Wise wrote:
On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote:

So I recently started running debsecan on one of my boxes.  It's a
fairly barebones server install, uses unattended-upgrades and is fully
up-to-date.  I expected a clean bill of health, but didn't get that.  I
got pages and pages and pages of output.  Some of it (especially kernel
related) I believe may be false positives, but not all.  Some of it
simply isn't patched yet.

That has been the normal state of things since I started running
debsecan many many years ago.

I'm not a security expert, but:
* security bugs are found daily
* security bugs are found also by people that don't work on the project and upstream can consider these bugs in different way: lower security bug; no security bug; no bug at all; ... * a software without security bugs (or fewer) is not intricately more secure than one with a lot of security bugs... the first one can be not checked for security bugs... * a security bug of a software that you are using can also not impact you, that depend on how you use that software and the system/network on which it is installed
* ...


Reply to: