John Goerzen <jgoer...@complete.org> schrieb: Hi John,
> So I recently started running debsecan on one of my boxes. debsecan hasn't seen any feature work for about a decade and is far too noisy to the point of being useless these days. > It's a > fairly barebones server install, uses unattended-upgrades and is fully > up-to-date. I expected a clean bill of health, but didn't get that. I > got pages and pages and pages of output. Some of it (especially kernel > related) I believe may be false positives, but not all. Some of it > simply isn't patched yet. No distro backports everything, that would be outright insane :-) As such there's no clean bill of health. We look at everything and if it's important enough it gets fixed via security.debian.org and if not, via point releases or not at all (there's plenty of cases where the tradeoff of changing stable clearly balances towards not fixing stuff!) E.g. your specific example of busybox/CVE-2011-5325 is fixed in the upcoming stretch point release. > Marked fixed in jessie After introducing a regression (https://packages.qa.debian.org/b/busybox/news/20180803T045026Z.html) which is a good example of the balance I mentioned above. > 2) If so, what kinds of volunteering would be appreciated? Sure! If you tell us what languages you feel comfortable to backport security fixes in, I'm sure we can find you some tasks to work on, best to reply to the team alias (t...@security.debian.org) and can pick it up from there. Thanks, Moritz
