On 02/18/2015 08:44 AM, Thijs Kinkhorst
wrote:
Perhaps what we need then is for more nuance in the tracker? For instance, https://security-tracker.debian.org/tracker/TEMP-0000000-244FCB says "php5 is vulnerable; however, the security impact is unimportant." But under Status, it just says "vulnerable".Yes, we know about those issues. That's why debsecan reports them to you in the first place. A good place to learn more about an issue is to actually follow the links you pasted at the bottom of your email. There you can e.g. see a motivation for why libtiff4 is not that urgent to fix, similar for php5 and the useful note that clamav will be fixed through wheezy-updates and not wheezy-security (it's currently in the srm queue). If you are alarmed by the output of debsecan, it may be because the tool lacks the nuance that is represented in the tracker and does not expose the information above. Of the many issues coming in every day, there's many shades of impact and priority. Well, is it vulnerable to a real issue or not? It seems to me they are saying it is not vulnerable to a security issue. Should that status then be "not vulnerable" or perhaps even some other status? Regarding the python2.6 one you were saying wasn't a big deal -- there's a proof of concept exploit for it https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Why would the tracker say that such a thing wasn't important enough to fix? John |