On Mon, Nov 19, 2001 at 09:29:37AM +0000, Alex Butcher (vuln-dev) wrote: >Yeah, Debian, like Red Hat (probably others too) frequently include >patches culled from mailing lists, their own code audits and so on, >meaning the version isn't a completely reliable guide to determining the >vulnerability or not of a given instance. This issue has arisen in the >past; perhaps it's time that the folks at Debian and Red Hat started >indicating more clearly that they've patched with their version numbers The version number of gzip on a Debian system is not "1.2.4"; it's (on a box selected at random) 1.2.4-33. /usr/share/doc/gzip/changelog.Debian.gz contains the full changelog, information on which patches have been applied, and references to the bug-tracking system. If one knows that this principle is in use, it can be quite helpful. Roger
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 11:44:13 PST