[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Gaps in security coverage?

John Goerzen <jgoerzen@complete.org> schrieb:

Hi John,

> So I recently started running debsecan on one of my boxes.

debsecan hasn't seen any feature work for about a decade and is
far too noisy to the point of being useless these days.

> It's a
> fairly barebones server install, uses unattended-upgrades and is fully
> up-to-date.  I expected a clean bill of health, but didn't get that.  I
> got pages and pages and pages of output.  Some of it (especially kernel
> related) I believe may be false positives, but not all.  Some of it
> simply isn't patched yet.

No distro backports everything, that would be outright insane :-)
As such there's no clean bill of health. We look at everything and if it's
important enough it gets fixed via security.debian.org and if not, via
point releases or not at all (there's plenty of cases where the tradeoff
of changing stable clearly balances towards not fixing stuff!)

E.g. your specific example of busybox/CVE-2011-5325 is fixed in the
upcoming stretch point release.

> Marked fixed in jessie

After introducing a regression (https://packages.qa.debian.org/b/busybox/news/20180803T045026Z.html)
which is a good example of the balance I mentioned above.

> 2) If so, what kinds of volunteering would be appreciated?

Sure! If you tell us what languages you feel comfortable to backport
security fixes in, I'm sure we can find you some tasks to work
on, best to reply to the team alias (team@security.debian.org)
and can pick it up from there.


Reply to: