On Mon, Jul 21, 2003 at 11:15:14AM +0200, Gerfried Fuchs wrote: > * doug jensen <[EMAIL PROTECTED]> [2003-07-20 18:53]: > > So, I will make those corrections and send the patches back to the list > > to be commited, or bug reports to www.debian.org, or ...? > > Send them to the list, IMHO no need to bloat the BTS with it. If noone > reacts you can still send them to the BTS for them to be more visible. > > Uhm, on second thought, I guess Matt and/or Javier are doing a database > of crossreferences to vulnerability databases, they might be interested > in your changes in that part, too. >
An email sent to debian-security, asking for comments from Matt and/or Javier, received no response. So, I'm wondering if anyone wants to commit the following three patches? Thanks for your consideration. # Allows the "fixed in" data to be displayed (for Buzz/Rex). # Affects several DSAs in the 1998, 1997, and undated directories. # This template isn't being used for current DSAs, last used in 1998. --- template/debian/fixes_link.wml.old Fri Nov 1 06:16:30 2002 +++ template/debian/fixes_link.wml.new Sat Jul 19 17:26:53 2003 @@ -16,6 +16,12 @@ <define-tag notapplicable whitespace=delete> <gettext>N/A</gettext> </define-tag> +<define-tag in1_1 whitespace=delete> + <gettext>in release 1.1</gettext> +</define-tag> +<define-tag in1_2 whitespace=delete> + <gettext>in release 1.2</gettext> +</define-tag> <define-tag in1_3 whitespace=delete> <gettext>in release 1.3</gettext> </define-tag> @@ -41,6 +47,14 @@ if ( $release eq "not" ) { $str = "<notneeded/>"; + } + elsif ( $release eq "buzz" ) + { + $str = "$arch - (<in1_1/>) $version"; + } + elsif ( $release eq "rex" ) + { + $str = "$arch - (<in1_2/>) $version"; } elsif ( $release eq "bo" ) { ## This change allows "Vulnerable" to be "Yes" and "Security database ## reference" to be displayed. --- security/undated/1ssh.data.old Thu Apr 19 09:52:11 2001 +++ security/undated/1ssh.data.new Sat Jul 19 17:37:41 2003 @@ -1,7 +1,8 @@ <define-tag pagetitle>ssh</define-tag> <define-tag report_date>undated</define-tag> +<define-tag secrefs>CA-1998-03</define-tag> <define-tag packages>ssh</define-tag> -<define-tag isvulnerable>Yes</define-tag> +<define-tag isvulnerable>yes</define-tag> <define-tag fixed>Yes</define-tag> #use wml::debian::security # Changes to 1ssh.wml to add new data. # Changed from what was in my original email (simplified). # Note, there is nothing that absolutely insures that the new # information is related to the original DSA. However, the version # number matches and it seems to be related. --- undated/1ssh.wml.old Sun Jul 22 07:46:50 2001 +++ undated/1ssh.wml.new Wed Jul 30 15:53:08 2003 @@ -3,6 +3,13 @@ ssh allowed non-privileged users to forward privileged ports. <p>Fixes: ssh 1.2.21-1 or later + +<p>Insufficent permission checking may allow a SSH client user, to access +remote accounts belonging to the ssh-agent user. + +<p>SSH versions 1.2.17 thru 1.2.21 are vulnerable. SSH versions prior to +1.2.17 are vunerable to a different, though similar attack. + </define-tag> # do not modify the following line Doug Jensen