On 06/11/2018 02:34, Paul Wise wrote:
On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote:
So I recently started running debsecan on one of my boxes. It's a fairly barebones server install, uses unattended-upgrades and is fully up-to-date. I expected a clean bill of health, but didn't get that. I got pages and pages and pages of output. Some of it (especially kernel related) I believe may be false positives, but not all. Some of it simply isn't patched yet.That has been the normal state of things since I started running debsecan many many years ago.
I'm not a security expert, but: * security bugs are found daily* security bugs are found also by people that don't work on the project and upstream can consider these bugs in different way: lower security bug; no security bug; no bug at all; ... * a software without security bugs (or fewer) is not intricately more secure than one with a lot of security bugs... the first one can be not checked for security bugs... * a security bug of a software that you are using can also not impact you, that depend on how you use that software and the system/network on which it is installed
* ... Ciao Davide