Hi Alec,> CVE-2001-1098 (Cisco PIX firewall manager (PFM) 4.3(2)g logs the > enable password in ...) > - TODO: check > + NOT-FOR-US: Cisco > CVE-2001-1096 (Buffer overflows in muxatmd in AIX 4 allows an > attacker to cause a ...) TODO: checkYou are doing really great work and, (I think) for the first time in this year, we are actually catching up with the current issues. However, so far we have put a cut-off at woody''s release which was mid 2002. Personally, I think there are better ways to spent your time than on those old issues which are long fixed or have become irrelevant. Maybe one should remove the TODO-lines from them (I think there was some discussion about this before). This way the webpage would give a reasonable estimate about the number of open TODO issues, too. What do you (and the others) think? Cheers, Stefan
Stefan Fritsch on 2006-05-22 23:12:02 +0200:> Personally, I think there are better ways to spent your time than on > those old issues which are long fixed or have become irrelevant. > > Maybe one should remove the TODO-lines from them (I think there was > some discussion about this before). This way the webpage would give a > reasonable estimate about the number of open TODO issues, too. > > What do you (and the others) think?Thank you for your concern. The really old NFUs were the result of fun with vim macros during a Battlestar Galactica marathon. I have no plan to go through the entire CVE list :) but hoped to get the tracker todo loading a bit quicker by removing the ones obviously relating to Microsoft, Cisco, and the like. It didn''t work so well - must be too many PHP bulletin boards out there. I pinged Florian a few days ago about hiding the really old CVEs and he mentioned two things: a few of them apparently haven''t been fixed, and that there used to be a cutoff marker. The ones that haven''t been fixed are unlikely to be severe, so I''m not worried about those at this point. I poked around for a few minutes but didn''t find the marker in old revisions, and after an equally brief inspection of the tracker I didn''t find code to recognize such a marker; I''ll probably send in a patch for the tracker to optionally hide old CVEs. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060522/76f93d2d/attachment.pgp
Alec Berryman wrote:> > Personally, I think there are better ways to spent your time than on > > those old issues which are long fixed or have become irrelevant. > > > > Maybe one should remove the TODO-lines from them (I think there was > > some discussion about this before). This way the webpage would give a > > reasonable estimate about the number of open TODO issues, too. > > > > What do you (and the others) think? > > Thank you for your concern. The really old NFUs were the result of fun > with vim macros during a Battlestar Galactica marathon. I have no plan > to go through the entire CVE list :) but hoped to get the tracker todo > loading a bit quicker by removing the ones obviously relating to > Microsoft, Cisco, and the like. It didn''t work so well - must be too > many PHP bulletin boards out there. > > I pinged Florian a few days ago about hiding the really old CVEs and he > mentioned two things: a few of them apparently haven''t been fixed, and > that there used to be a cutoff marker. The ones that haven''t been fixed > are unlikely to be severe, so I''m not worried about those at this point. > I poked around for a few minutes but didn''t find the marker in old > revisions, and after an equally brief inspection of the tracker I didn''t > find code to recognize such a marker; I''ll probably send in a patch for > the tracker to optionally hide old CVEs.The update script by Joey Hess at one point blew in several megabytes of old issues, so there isn''t a script cut off any more. While there might be a few minor, issues still hiding in pre-2002 TODOs, they are all probably fixed by including fixed upstream versions (except for a bit of unmaintained software) in Sarge. Cheers, Moritz