| 1 |
On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote: |
| 2 |
> Am 26.08.2011 18:55, schrieb Alex Legler: |
| 3 |
> > Compared to other distributions, our advisories have been rather |
| 4 |
> > detailed with lots of manually researched information. I'm not sure if |
| 5 |
> > we can keep up this very high standard with the limited manpower, but |
| 6 |
> > we'll try our best. |
| 7 |
> I see the point. I think it would be an achievement over the current |
| 8 |
> situation (which is: no current GLSAs at all) to send out less detailed |
| 9 |
> GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are |
| 10 |
> fixed in $VERSION, for details see $CVE" would be immensely helpful. |
| 11 |
> |
| 12 |
> Is the any viable way to get it at least to this point? Probably the largest |
| 13 |
> part of such a task could be automated. This would lift the burden from the |
| 14 |
> security maintainers. |
| 15 |
|
| 16 |
I agree on this. |
| 17 |
I don't (yet) know enough to actually help in this. I tend to follow |
| 18 |
advisories and try to keep my machines as much up-to-date as possible. |
| 19 |
|
| 20 |
More brief GSLAs like what Christian mentioned are, for the majority, |
| 21 |
sufficient. If someone really needs more information, there is always google. |
| 22 |
|
| 23 |
Maybe only list if it's a "local-only" exploit, eg. if local shell-access |
| 24 |
needs to be available already, or if it's also usable to abuse from remote. |
| 25 |
The latter being more troublesome as there are no valid user-accounts on my |
| 26 |
server and I trust all my users (me and my wife). |
| 27 |
|
| 28 |
-- |
| 29 |
Joost |
Archives