On 09/10/12 10:51, Andrew Worsley wrote:
1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below
How reliable is debsecan? I just ran it on one of my systems, and among many of the problems it found, was this one, which I picked at random: CVE-2011-1148 php5-mysql (remotely exploitable, high urgency) The description of this vulnerability is: "Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments." (from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1148) But the php5-mysql package I have installed is 5.4.4-4, which is definitely later than 5.3.6: Package: php5-mysql Version: 5.4.4-4 What exactly is debsecan using to determine these vulnerabilities? I realise that the man page for it says that it bases vulnerabilities upon source packages, and that this results in errors being shown for all associated binaries, but I don't have an old version of any php package on my system that could be triggering it... Paul. -- Paul Dwerryhouse <paul@dwerryhouse.com.au>