Re: Re: How to see the list of CRIICALLY vulnerable packages in Debian?
- To: debian-user@lists.debian.org
- Subject: Re: Re: How to see the list of CRIICALLY vulnerable packages in Debian?
- From: "Andrew M.A. Cater" <amacater@einval.com>
- Date: Sat, 25 Dec 2021 15:26:06 +0000
- Message-id: <Ycc4Ds/u8t3ESPD8@einval.com>
[Sent by mistake to maxwillb only - forwarding to the list]
>From amacater@einval.com Sat Dec 25 15:16:59 2021
Date: Sat, 25 Dec 2021 15:16:59 +0000
From: "Andrew M.A. Cater" <amacater@einval.com>
To: maxwillb <maxwillb@mailfence.com>
Subject: Re: How to see the list of CRITICALLY vulnerable packages in Debian?
Message-ID: <Ycc169WpEGYNBkuj@einval.com>
References: <[🔎] 461915924.365881.1640387246679@ichabod.co-bxl>
<[🔎] YccT2zGMlPm7E5wu@einval.com>
<[🔎] 240282256.412431.1640442971976@ichabod.co-bxl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <[🔎] 240282256.412431.1640442971976@ichabod.co-bxl>
Status: RO
Content-Length: 2175
Lines: 62
On Sat, Dec 25, 2021 at 03:36:12PM +0100, maxwillb wrote:
> December 25, 2021 1:51:39 PM CET "Andrew M.A. Cater" <amacater@einval.com=
> wrote:On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote:
>=20
> > It's not as if people are massively dropping the ball here, in spite of=
your apprehension.
>=20
> I'm sure Debian is doing its best. It's just that it's not enough:
>=20
> https://security-tracker.debian.org/tracker/CVE-2021-30521
>=20
> ~6 months old. HIGH severity on NVD. "Not yet assigned" on Debian.
>=20
> https://security-tracker.debian.org/tracker/CVE-2021-37973
>=20
> ~3 months old. CRITICAL severity on NVD. "Not yet assigned" on Debian.=20
>=20
> etc. etc. ...
>=20
Hi Maxwillb
https://security-team.debian.org/security_tracker.html#gentle-introduction
is probably the best I can do. If it helps: as you're aware, we're likely
to drop chromium from Debian altogether.
* Not all issues are necessarily disclosed by Google - who own the codebase=
for Chrome and thereby for Chromium and don't necessarily regard Chromium =
as
meaningful.
* it's a signifcant codebase - and hard to build on all architectures
* It's released regularly enough that it's hard to track issues=20
* Do you just "take the latest code drop and pray it fixes issues"?
and the maintainers are working hard to keep up. Dropping it would solve
the issue - that probably means that every Debian derived distribution
will also lose Chromium. I note that Fedora are packaging Chromium
in EPEL at the moment but a quick Google shows the following, for example
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-01679b76db
So you're raising issues that everyone knows but can't do a great deal about
given the difficulties of working out what is specific to proprietary Chrome
and what is effective on Chromium.
Hope this helps, as ever, Merry Christmas to all reading the list, by the w=
ay
All the very best, as ever,
Andy Cater
>=20
> But I don't want to click on every one of these links. I just want to fil=
ter the vulnerabilities by their NVD severity. Hence this question.
>=20
> --=20
> Sent with https://mailfence.com =20
> Secure and private email
>=20
Reply to: