[Sent by mistake to maxwillb only - forwarding to the list] >From amaca...@einval.com Sat Dec 25 15:16:59 2021 Date: Sat, 25 Dec 2021 15:16:59 +0000 From: "Andrew M.A. Cater" <amaca...@einval.com> To: maxwillb <maxwi...@mailfence.com> Subject: Re: How to see the list of CRITICALLY vulnerable packages in Debian? Message-ID: <ycc169wpegynb...@einval.com> References: <461915924.365881.1640387246...@ichabod.co-bxl> <ycct2zgmlpm7e...@einval.com> <240282256.412431.1640442971...@ichabod.co-bxl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <240282256.412431.1640442971...@ichabod.co-bxl> Status: RO Content-Length: 2175 Lines: 62
On Sat, Dec 25, 2021 at 03:36:12PM +0100, maxwillb wrote: > December 25, 2021 1:51:39 PM CET "Andrew M.A. Cater" <amaca...@einval.com= > wrote:On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: >=20 > > It's not as if people are massively dropping the ball here, in spite of= your apprehension. >=20 > I'm sure Debian is doing its best. It's just that it's not enough: >=20 > https://security-tracker.debian.org/tracker/CVE-2021-30521 >=20 > ~6 months old. HIGH severity on NVD. "Not yet assigned" on Debian. >=20 > https://security-tracker.debian.org/tracker/CVE-2021-37973 >=20 > ~3 months old. CRITICAL severity on NVD. "Not yet assigned" on Debian.=20 >=20 > etc. etc. ... >=20 Hi Maxwillb https://security-team.debian.org/security_tracker.html#gentle-introduction is probably the best I can do. If it helps: as you're aware, we're likely to drop chromium from Debian altogether. * Not all issues are necessarily disclosed by Google - who own the codebase= for Chrome and thereby for Chromium and don't necessarily regard Chromium = as meaningful. * it's a signifcant codebase - and hard to build on all architectures * It's released regularly enough that it's hard to track issues=20 * Do you just "take the latest code drop and pray it fixes issues"? and the maintainers are working hard to keep up. Dropping it would solve the issue - that probably means that every Debian derived distribution will also lose Chromium. I note that Fedora are packaging Chromium in EPEL at the moment but a quick Google shows the following, for example https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-01679b76db So you're raising issues that everyone knows but can't do a great deal about given the difficulties of working out what is specific to proprietary Chrome and what is effective on Chromium. Hope this helps, as ever, Merry Christmas to all reading the list, by the w= ay All the very best, as ever, Andy Cater >=20 > But I don't want to click on every one of these links. I just want to fil= ter the vulnerabilities by their NVD severity. Hence this question. >=20 > --=20 > Sent with https://mailfence.com =20 > Secure and private email >=20
