[Henri Salo]
> Has there been any progress with this project? I am glad to help if
> there is something I can do? This is needed in my opinion.
You could try to run the scripts I created in the debian-security svn
repository, and see how they could be improved. I have not had time
to work much on
On Mon, Jul 02, 2012 at 07:59:26PM +0200, Petter Reinholdtsen wrote:
> [Silvio Cesare]
> > I recently ran the tool and cross referenced identified code copies with
> > Debian's security tracking of affected packages by CVE. I did this for all
> > CVEs in 2010, 2011, and 2012.
>
> This sound like a
On Mon, Jul 02, 2012 at 12:27:06PM +0200, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ... ]
> > Now some of these cases are going to be false positives. From looking at
> > the results, many of the vulns were probably fixed but have not been
> > reported in the
[Michael Gilbert]
>> Are you aware of my proposal to do this, mentioned on debian-security
>> and also drafted on http://wiki.debian.org/CPEtagPackagesDep >?
>
> Does this actually cover embedded code copies? The spec probably
> needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote:
>
> [Silvio Cesare]
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>
> This sound like a job that co
On Mon, Jul 2, 2012 at 4:38 AM, Bastian Blank wrote:
> Can this tool be used to identify all code copies, regardless of CVE?
Indeed, we plan to run it over the whole archive on a regular basis
and link to the results from the PTS.
Silvio, thanks a lot for your work, I'm looking forward to sponso
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to c
Last I checked, ia32-libs on squeeze didn't have the openssl patches for
0.9.8. I may have to check more thoroughly to be sure. It might have some
other vulns as well.
--
Silvio
On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ...
On Mon, Jul 02, 2012 at 06:53:54PM +1000, Silvio Cesare wrote:
> I recently ran the tool and cross referenced identified code copies with
> Debian's security tracking of affected packages by CVE. I did this for all
> CVEs in 2010, 2011, and 2012.
Can this tool be used to identify all code copies,
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify wh
10 matches
Mail list logo
