On 02/18/2015 08:44 AM, Thijs Kinkhorst wrote: > Yes, we know about those issues. That's why debsecan reports them to you > in the first place. A good place to learn more about an issue is to > actually follow the links you pasted at the bottom of your email. There > you can e.g. see a motivation for why libtiff4 is not that urgent to fix, > similar for php5 and the useful note that clamav will be fixed through > wheezy-updates and not wheezy-security (it's currently in the srm queue). > > If you are alarmed by the output of debsecan, it may be because the tool > lacks the nuance that is represented in the tracker and does not expose > the information above. Of the many issues coming in every day, there's > many shades of impact and priority. Perhaps what we need then is for more nuance in the tracker? For instance, https://security-tracker.debian.org/tracker/TEMP-0000000-244FCB says "php5 is vulnerable; however, the security impact is unimportant." But under Status, it just says "vulnerable".
Well, is it vulnerable to a real issue or not? It seems to me they are saying it is not vulnerable to a /security/ issue. Should that status then be "not vulnerable" or perhaps even some other status? Regarding the python2.6 one you were saying wasn't a big deal -- there's a proof of concept exploit for it https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Why would the tracker say that such a thing wasn't important enough to fix? John
