1 |
On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote: |
2 |
> Am 26.08.2011 18:55, schrieb Alex Legler: |
3 |
> > Compared to other distributions, our advisories have been rather |
4 |
> > detailed with lots of manually researched information. I'm not sure if |
5 |
> > we can keep up this very high standard with the limited manpower, but |
6 |
> > we'll try our best. |
7 |
> I see the point. I think it would be an achievement over the current |
8 |
> situation (which is: no current GLSAs at all) to send out less detailed |
9 |
> GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are |
10 |
> fixed in $VERSION, for details see $CVE" would be immensely helpful. |
11 |
> |
12 |
> Is the any viable way to get it at least to this point? Probably the largest |
13 |
> part of such a task could be automated. This would lift the burden from the |
14 |
> security maintainers. |
15 |
|
16 |
I agree on this. |
17 |
I don't (yet) know enough to actually help in this. I tend to follow |
18 |
advisories and try to keep my machines as much up-to-date as possible. |
19 |
|
20 |
More brief GSLAs like what Christian mentioned are, for the majority, |
21 |
sufficient. If someone really needs more information, there is always google. |
22 |
|
23 |
Maybe only list if it's a "local-only" exploit, eg. if local shell-access |
24 |
needs to be available already, or if it's also usable to abuse from remote. |
25 |
The latter being more troublesome as there are no valid user-accounts on my |
26 |
server and I trust all my users (me and my wife). |
27 |
|
28 |
-- |
29 |
Joost |