Re: forming a security team for testing

[Joey Hess]

I wrote:
>  - Edit the CAN/list file and claim a range of CANs to check. Note that
>    CANs that have already been checked as part of the DSA checks are so
>    marked. Commit the file.

I've added a CVE/list also, with about 80 CVE's per year to add to the
things to check. We've only got 130 more CAN's to check for 2004, plus
the CVE's, and then we can start on 2003.

Current list of security problems apparently unfixed in sarge:

postgresql 7.4.6-1 needed, have 7.4.5-3 for CAN-2004-0977
perl (unfixed; bug #278404) for CAN-2004-0976
openssl (unfixed; bug #278260) for CAN-2004-0975
netatalk (unfixed; bug #278396) for CAN-2004-0974
kbr5 (unfixed; bug #278271; not shipped in binary package) for CAN-2004-0971
arla (unfixed; bug #278273) for CAN-2004-0971
groff 1.18.1.1-2 needed, have 1.18.1.1-1 for CAN-2004-0969
libc6 (unfixed; bug #278278) for CAN-2004-0968
gs-common (unfixed; bug #278282) for CAN-2004-0967
gettext 0.14.1-6 needed, have 0.14.1-5 for CAN-2004-0966
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0909
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0908
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0906
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0905
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0904
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0903
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0902
apache2 2.0.53 needed, have 2.0.52-1 for CAN-2004-0885
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
gnats (unfixed; bug #278577) for CAN-2004-0623
qla2x00-source (unfixed; bug #27870) for CAN-2004-0587
overkill (unfixed; bug #278709) for CAN-2004-0238
cabextract 1.1-1 needed, have 1.0-1 for DSA-574-1
kpdf (unfixed; bug #278173) for DSA-573-1
gpdf 2.8.0-1 needed, have 2.8.0-0.1 for DSA-573-1
libpng3 1.2.5.0-9 needed, have 1.2.5.0-8 for DSA-571-1
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539

Current number of team members: 7

There's a mailing list on alioth that's supposed to get svn commit
messages, but for some reason only mine currently seem to be getting
through. I'm pondering whether to set up a list for the team too, or
keep using this one.

-- 
see shy jo

signature.asc
Description: Digital signature