On Wed, Jun 02, 2004 at 06:00:28PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> Did mdz refer to _all_ security bugs or just security bugs that do not
> affect stable? I don't see why a bug in a package in sarge/sid which is not
> yet released (for example, it is not present in stable or the code affected
> is not present in the stable version) could not be reported in the BTS.
At the time it was suggested all bugs affecting stable. I guess
if something is vulnerable in unstable it's a different matter, and
looking back I have reported things in unstable just using the BTS.
> > There are also links to the Secure Programming HOWTO for more
> > information on closing things securely.
>
> Great. I'm eager to read that (but I'll have to finish "Secure Coding,
> principles and practices" first, BTW, it might be worthwhile pointing to
> some books, for example:
I will add some links to books shortly, mostly I've not done that
as I've not read any! I have one security book which is the
'Shellcoder's handbook' which I was recently given and I like.
I've read a lot of books such as code complete, but nothing
specifically geared at either secure programming or exploitation.
> I have the second edition of the second one in my possesion (a must read),
> and I'm currently reading the first one (which is pretty good IMHO)
Thanks I'll see if I can lay my hands on them easily.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
|
