Secure testing team - Feb 2007 - Relevance of http://www.debian.org/security/nonvulns-sarge

Hello,
reading the security annoucements on lwn.net, I''ve noticed for a while
that lots of software does not have a DSA, nor are the CVEs mentioned
on http://www.debian.org/security/nonvulns-sarge. I''ve compiled a list
of roundabout 60 CVEs which *might* apply to Sarge / Etch and started
checking them. I noticed, however, that those checks seemed to be
performed already, e.g. on 

http://idssi.enyo.de/tracker/CVE-2007-0247

I see a note:
"[sarge] - squid <not-affected> (Vulnerable code not present)"

So why is this not mentioned in
http://www.debian.org/security/nonvulns-sarge which would be the most
natural place to look for vulnerabilities in a stable release?

My intention was to compile a list of entries for the nonvulns list
and either ask Joey to insert them or do it myself (I''ve commit
access, though I would not write there without permission /
coordination).

I would be glad for a clarification and thanks for your work /
http://idssi.enyo.de/.

Greetings

            Helge
-- 
      Dr. Helge Kreutzmann                     debian@helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070210/66ee9d89/attachment.pgp

Helge Kreutzmann wrote:
> Hello,
> reading the security annoucements on lwn.net, I''ve noticed for a
while
> that lots of software does not have a DSA, nor are the CVEs mentioned
> on http://www.debian.org/security/nonvulns-sarge. I''ve compiled a
list
> of roundabout 60 CVEs which *might* apply to Sarge / Etch and started
> checking them. I noticed, however, that those checks seemed to be
> performed already, e.g. on 
> 
> http://idssi.enyo.de/tracker/CVE-2007-0247
You''re invited to continue such efforts directly in the Security
Tracker:
http://security-tracker.debian.net/tracker/

http://security-tracker.debian.net/tracker/data/report
http://security-tracker.debian.net/tracker/data/report
> I see a note:
> "[sarge] - squid <not-affected> (Vulnerable code not
present)"
> 
> So why is this not mentioned in
> http://www.debian.org/security/nonvulns-sarge which would be the most
> natural place to look for vulnerabilities in a stable release?
In the mid-term we could probably phase out above URL completely.

Florian, when you find the time please implement a web overview which
only presents a list of not-affected issues.
> My intention was to compile a list of entries for the nonvulns list
> and either ask Joey to insert them or do it myself (I''ve commit
> access, though I would not write there without permission /
> coordination).
Feel free to feed in the necessary information into webwml, I lack the
time to do so.

Cheers,
        Moritz