Re: Should we be alarmed at our state of security support?

2015-02-19 Thread Paul Wise
On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote: > Right now, the security tracker has, apparently, three status for each > version of Debian: > > not vulnerable > vulnerable > fixed > > What if we add a fourth: > > not worth fixing > > This could more clearly communicate what is being said b

Re: Should we be alarmed at our state of security support?

2015-02-19 Thread John Goerzen
On 02/19/2015 08:24 AM, Michael Stone wrote: > On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote: >> However, part of what I was trying to figure out here is: do we have a >> lot of unpatched vulnerabilities in our archive? > > Yes. Every system (not just debian) has unpatched vulnerabil

Re: Should we be alarmed at our state of security support?

2015-02-19 Thread Michael Stone
On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote: However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive? Yes. Every system (not just debian) has unpatched vulnerabilities. In some cases those vulnerabilities are known

Re: Should we be alarmed at our state of security support?

2015-02-19 Thread Thijs Kinkhorst
On Thu, February 19, 2015 14:29, John Goerzen wrote: > But how else is someone going to learn that when security-tracker says > "vulnerable", in hundreds of instances, that may be wrong, other than by > asking? I didn't find this documented anywhere. I think where your misunderstanding originates

Re: Missing tiff3 patch in security repo

2015-02-19 Thread Thijs Kinkhorst
On Wed, February 18, 2015 18:50, John Goerzen wrote: > On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: >> Hi John, >> >> On Wed, February 18, 2015 14:51, John Goerzen wrote: >>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >>>

Re: Should we be alarmed at our state of security support?

2015-02-19 Thread John Goerzen
On 02/19/2015 12:25 AM, Michael Gilbert wrote: > On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: >> On this machine, it found 472 vulnerabilities. Quite a few of them fit >> into the remotely exploitable, high urgency category. Many date back to >> last year, some as far back as 2012. I've