Bug#761963: security-tracker: consolidate vulnerable/fixed per release in overviews
Package: security-tracker Severity: wishlist Hi, In the overview per-package, the tracker currently shows for each CVE name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy, wheezy-security, jessie, sid. I think for the overviews it would be preferable if the table just shows the status for each release ('squeeze', 'wheezy' (or maybe even 'oldstable','stable')) etc overall, that is, 'wheezy' will show fixed if an issue is fixed in wheezy-security. I believe that this represents best how people think about an issue being fixed. For an individual CVE page, I think the same would go for the overview on the top (this currently shows only Debian/stable for all wheezy suites but confusingly shows vulnerable if it's fixed in wheezy-security). The detailed info about the exact suites can remain to be found in the table under Vulnerable and fixed packages on the CVE page. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140917091039.14193.83060.report...@thki-sid.pt-48.utr.surfcloud.nl
Re: Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, September 16, 2014 09:10, Paul Wise wrote: Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: Not sure what you'd use that additional info for, but I would heartily disrecommend to display unimportant issues in the PTS; the idea of unimportant is that they are just that, and that no action is needed. If we would display unimportant issues in the PTS, this would for some packages lead to semi-permanent notice of issues, thereby reducing the attention value when an actual issue is found. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/554a939c52f0eac6847a4d6f4f9eb943.squir...@aphrodite.kinkhorst.nl
Re: Switching the tracker to git
On Mon, September 15, 2014 07:33, Henri Salo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: My guess is that the only reason that subversion is still used is inertia and that people would be happier with git. However, I'm curious to know if anyone thinks otherwise? In my experience Git also takes more time per commit if we are talking about making branches and/or pull requests. I think this will be the cases we're not going to use (much). What would be the actual benefits of moving to Git and I'm not talking about some minor speed improvements. Please also note that there are hooks in SVN currently and I'm not sure if those can be migrated to Git. Speed improvements, further standardisation within Debian on git so less tools for new people to learn, ability to work offline (limited use with the daily flow, but may be useful for some cases) are some good reasons. I believe at the very least git will not make the situation worse for current routine use. I'm more than happy to discuss this case in detail and even help to implement it if/when team starts to move that direction. Michael's statement is spot on: there's no objection to such migration but as svn didn't pose huge problems yet it hasn't been a priority. I would say that if someone wants to do the work, just do it (as long as you keep everyone informed of course). Some points of attention: - Two main non-human use of svn are the joeyh commit script and the tracker itself. - When fixing the joeyh one, I think it makes sense to move it to a role account on alioth (as previously discussed), rather than this personal account, at the same time. - There's also a very useful pre-commit hook that checks syntax of commits to data/*. This is something that also would need a place somewhere. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9d2213b15251d7f4a20801a7c5d3aae7.squir...@aphrodite.kinkhorst.nl
Bug#611163: nice css: let there be patches...
On Mon, September 15, 2014 01:36, Holger Levsen wrote: Hi, See attached or branch html5+external_css from ssh://git.debian.org/git/collab-maint/secure-testing.git These patches turn the html into html5 and introduce a modern, slick css style inspired from tracker.d.o - enjoy! :) Feedback welcome! cheers thanks to Ulrike for the nice work! Yes, looks good from reading the source. So let's go! If there's anything that would need to be fixed in practice we'll see about that when it's deployed. Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/a515d09bd650c4a24dca1a236b56f8d7.squir...@aphrodite.kinkhorst.nl
Re: small misc fixes
On Fri, September 12, 2014 15:14, Holger Levsen wrote: Hi, On Freitag, 12. September 2014, Holger Levsen wrote: attached are three small no brainer fixes I'd like to apply, please confirm thanks to Thijs, this diff even got smaller and better, see attached. I've verified that the code still works nicely. May I commit? (And test git-svn committing... *lalala*) Looks good to me. Personally, I'd be fine with you just committing your stuff. People will be looking at commit messages anyway. And in case of trouble things are easily rolled back... Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/f431f11208e9047827d2952d01cf1bb0.squir...@aphrodite.kinkhorst.nl
Re: Debian - A list of correctin packets
Hi Mathieu. On Wed, April 16, 2014 18:59, vielg...@gmail.com wrote: Is there a way to get the list of the correcting packets for each CVE in Debian ? Yes, if you go to https://security-tracker.debian.org/tracker/ and search for a CVE name in the text field, you will get a list of the packages affected by that CVE and the fixed versions. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2bd283f597e5b95823e0c1222f6c8904.squir...@aphrodite.kinkhorst.nl
Re: Debian - A list of correctin packets
Hi Mathieu, On Wed, April 16, 2014 19:58, vielg...@gmail.com wrote: Hi Thijs, Yes, thanks, but is there a list .txt or .gz which sum up everything ? The source data is plain text: http://anonscm.debian.org/viewvc/secure-testing/data/CVE/ What may also be of use is the source data for the debsecan tool (in zlib compressed format): http://secure-testing.debian.net/debian-secure-testing/project/debsecan/release/1/wheezy Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/bb2733250ee7fc6aa045f2a4e56e176a.squir...@aphrodite.kinkhorst.nl
Re: security-tracker now on https?
Hi dsa, On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote: Hi admins, It was noted that the security tracker now blanket redirects to https://security-tracker.debian.org. This is fine of course for us DD's, but it presents a problem for externals using it. The tracker is often used by e.g. different distributions like RH and Gentoo, which may not have the SPI CA in their trust store by default and thus makes it inconvenient to them. We're not aware of any confidentiality sensitive information on that web site so enforcing https here does not seem strictly necessary. Is it possible to revert this change? Did you get around to looking into this issue yet? Thanks, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a3ce414f61bcd64d9de8da79a658.squir...@aphrodite.kinkhorst.nl
Re: php5: CVE-2011-1092 and CVE-2011-1148
On Wed, February 27, 2013 04:43, Steven Chamberlain wrote: Dear Security Team, In the tracker, CVE-2011-1092 and CVE-2011-1148 in PHP before 5.3.6 are correctly shown as fixed in 5.3.3-7+squeeze14. But 5.4.4-13 is still suggested as being vulnerable. The upstream changelog for 5.4.4 (/usr/share/doc/php5-common/changelog.gz) indicates that the corresponding bugs were fixed (#54193 and #54238, according to the NVD). Here are the specific commits, made to the 5.3 branch, and also to the SVN trunk which became 5.4.0 alpha 1: http://svn.php.net/viewvc?view=revisionrevision=309018 http://svn.php.net/viewvc?view=revisionrevision=310194 Please kindly mark php5 versions = 5.4.0 as fixed. Thanks, confirmed and done. They we're probably not tracked earlier because we don't consider them important issues. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3617bee7ea763c0c405857e1e72632a3.squir...@aphrodite.kinkhorst.nl
Re: Please help with discrepancies in CVE-2011-3578
On Sat, June 16, 2012 00:40, s...@powered-by-linux.com wrote: Hi Team, I had prepared a new security-stable version for mantis package to fix some new CVE's, and I found out that CVE-2011-3578 [1], patched on mantis 1.1.8+dfsg-10squeeze1, from 2011, was not yet updated in the security tracker. The CVE-2011-3578 was not yet assigned when the security package, including the patch [2], 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff [3], was uploaded and fixed. Please, could you update the tracker and fix it? Yes, I updated it. Will you add the CVE to squeeze1's changelog, for posterity? Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cb87fba3202378c82f3a84b5e85e6544.squir...@wm.kinkhorst.nl
Re: python-django
On Sun, September 11, 2011 22:28, Paul van der Vlis wrote: Hello, I see security issues in Django on the Django website, https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ But I don't see anything in the Debian security tracker about it: http://security-tracker.debian.org/tracker/status/release/stable Thanks for the heads up, we got the information but didn't get around to updating this specific issue yet. It should now be in the tracker. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ad90fe314ab1ee020bfa2c075785cd4e.squir...@wm.kinkhorst.nl
Re: Repository not in websvn anymore
Hi Enno, On Mon, June 6, 2011 14:14, Enno Gröper wrote: the link at [1] to http://svn.debian.org/wsvn/secure-testing/data/ doesn't work anymore. Last time I (my Newsreader) saw it working was May 20th. The repository itself seems to still be there. Is there any special reason for hiding the repository from websvn or is this a bug? I used this to monitor the repository per RSS. This is a bug in the sense that the machine hosting Debian's SVN was upgraded and wsvn has not been resurrected since, which is a known issue to the machine's administrators. There's a viewvc installation that is working, although I'm not sure that it supports RSS. http://anonscm.debian.org/viewvc/secure-testing/ Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6cfa9c3cf24b85031007e5d575302884.squir...@wm.kinkhorst.nl
Re: DSA-2252-1 vs. tracker
On Fri, June 3, 2011 22:05, Francesco Poli wrote: On Fri, 3 Jun 2011 20:01:05 +0200 Thijs Kinkhorst wrote: On Fri, June 3, 2011 00:04, Francesco Poli wrote: Hi, DSA-2252-1 [1] talks about dovecot, but the tracker [2] claims that the DSA is about mahara. Is there something wrong? Could someone fix it, please? Thanks, a copy/paste error in SVN which has since been fixed. Good, but it seems that the fixed version for squeeze misses the epoch... And thanks again for your attention to detail. Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a148bbebfca257045b16ac12f7bdf6e8.squir...@wm.kinkhorst.nl
Re: Squeeze release vs. tracker
On Monday 14 February 2011 19:07:41 Francesco Poli wrote: No, wait: it fails again with the same exact proxy error as yesterday! What's going on? I just restarted the tracker after updating the code to the most recent version and it seems to work again. Thijs signature.asc Description: This is a digitally signed message part.
Re: Squeeze release vs. tracker
On Wed, February 9, 2011 19:50, Francesco Poli wrote: On the other hand, the security tracker seems to still think that lenny is stable [1] and squeeze is testing [2], while I have been unable to find any traces of wheezy... Is there something that should be done manually, in order to let the tracker realize that squeeze is out? Is there any event that should happen before this can be done? I've changed the code right after squeeze's release. I've also restarted the tracker service. Apparently this is not enough - Florian, can you help? Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9dcd3808ad5094069f613bad0e74a131.squir...@wm.kinkhorst.nl
Re: Squeeze release vs. tracker
On Thu, February 10, 2011 03:40, Michael Gilbert wrote: On Wed, 9 Feb 2011 22:12:21 +0100 Thijs Kinkhorst wrote: On Wed, February 9, 2011 19:50, Francesco Poli wrote: On the other hand, the security tracker seems to still think that lenny is stable [1] and squeeze is testing [2], while I have been unable to find any traces of wheezy... Is there something that should be done manually, in order to let the tracker realize that squeeze is out? Is there any event that should happen before this can be done? I've changed the code right after squeeze's release. I've also restarted the tracker service. Apparently this is not enough - Florian, can you help? The Makefile also needs to change since that is used to download the release files that are parsed for package version info. Thanks, so that's what I've overlooked. I changed it now but (famous last words) I need to leave soon so I hope it didn't break too much. On the other hand, the tracker didn't work for wheezy now anyway. I skipped the volatile part as that has completely changed for squeeze so if someone wants to put the correct urls in there be my guest. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/071cd33e88baa4c34f9313f0f6a31300.squir...@wm.kinkhorst.nl
Re: script to add DSA's to tracker disabled
On Wed, December 22, 2010 21:35, Francesco Poli wrote: I ran a script that automatically added released DSA's to data/DSA/list. As this script uses bin/dsa2list and that tool cannot cope with the changed advisory format, it doesn't make sense to keep committing half parsed advisories. I am not sure I understand what you are proposing: are you saying that the automatic tracker update should be temporarily suspended, until dsa2list is fixed to parse the new advisory format? I hope dsa2list may be updated soon... If it was easily fixable I would have done that instead, but the problem is that dsa2list entirely depends on being able to download the .dsc. That is no longer listed in the advisory text due to DAK changes necessary for squeeze security support. As the advisory format is in flux for the upcoming time I don't think it's useful now to invest in a dsa2list rewrite, but rather await what we finally conclude to be the new format. May I go on reporting inconsistencies between DSAs and tracker data, whenever I notice any? Yes, the DSA's will be added as they used to be in the past: by hand. If one still isn't present after a while feel free to alert us. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/76b6e36dffbb00152e1caa326ace4c4f.squir...@wm.kinkhorst.nl
script to add DSA's to tracker disabled
Hi, I ran a script that automatically added released DSA's to data/DSA/list. As this script uses bin/dsa2list and that tool cannot cope with the changed advisory format, it doesn't make sense to keep committing half parsed advisories. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Re: Debian BTS report for CVE-2010-2941 (cups)
On Saturday 13 November 2010 11:14:16 Petter Reinholdtsen wrote: I just created URL: http://bugs.debian.org/603344 to track CVE-2010-2941 in BTS. You might want to add a reference to it from URL: http://security-tracker.debian.org/tracker/CVE-2010-2941 . Done, thanks. Thijs signature.asc Description: This is a digitally signed message part.
Re: DSA-2107-1 vs. tracker
On tongersdei 9 Septimber 2010, Francesco Poli wrote: it looks like something is missing in the tracker data [1] for DSA-2107-1 [2] ! Completed, thanks! Thijs signature.asc Description: This is a digitally signed message part.
security-tracker.debian.net no longer functional
Hi, Is there a reason that the DNS name security-tracker.debian.net has been removed? This seems problematic to me since there's still quite some links to that, most notably debsecan in stable. Unless there's a good reason I'd like to reinstate it. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Re: Getting new tracker service code to go live
On snein 3 Jannewaris 2010, Michael Gilbert wrote: I've updated the sql logic to workaround a bug in lenny's aspw (and the code is actually now a bit cleaner...for sql anyway). Please push this new commit to the live tracker. Ulib/python/security_db.py Updated to revision 13701. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Getting new tracker service code to go live
On sneon 2 Jannewaris 2010, Michael Gilbert wrote: It appears that new commits to the tracker service do not automatically go live (based on the above syntax checker message recieved from sectrac...@soler.debian.org). Anyway, can someone with appropriate permissions update the repo there This is what I did: sectrac...@soler:/srv/security-tracker.debian.org/website/secure-testing$ svn up Ulib/python/security_db.py Ulib/python/bugs.py Ubin/tracker_service.py Abin/generate-sequential-cve-ids Ubin/test-web-server Abin/generate-sequential-bugs Ubin/check-new-issues Updated to revision 13699. Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Secure-testing-commits] r13252 - data
On moandei 9 Novimber 2009, Jakub Wilk wrote: NOTE: embeds msgfmt.py script - - mailman unfixed (embed) + - mailman unfixed (embed; #555416) Although this is installed into the Debian package, it is never used and not installed into the path. What is the risk here? I can see to removing it in a next release purely because it's cruft, but do not see the added value of putting it on the embedded code copies list. Thijs signature.asc Description: This is a digitally signed message part.
Re: [Secure-testing-commits] r11972 - data/CVE
On snein 24 Maaie 2009, Joey Hess wrote: CVE-2007-2004 (Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 ...) - {DTSA-133-1} NOT-FOR-US: InoutMailingListManager Would it be possible for the tracker to error out on this when first encountering the situation that a D(T)SA is coupled with a NFU? Thijs signature.asc Description: This is a digitally signed message part.
Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to issue an update just for that. We can always update the associated DSA web page if a newer sid version is available. Thijs signature.asc Description: This is a digitally signed message part.
Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to issue an update just for that. We can always update the associated DSA web page if a newer sid version is available. Thijs signature.asc Description: This is a digitally signed message part.
Re: [Secure-testing-commits] r11636 - data/CVE
On freed 17 April 2009, Kees Cook wrote: For embargoed issues, this is supposed to happen already, by way of vendor-sec. Who all from Debian is on that list, and what are the policies and procedures you have in place for contacting maintainers? The Security Team is on that list. We do contact maintainers when there's an issue affecting their packages. With udev that went wrong, probably because we had a reduced number of active people due to various VACs. One idea we'd had was to send email to the Debian maintainer for stuff we've ranked as High or Critical, with something like there's an embargoed issue with $pkg, please make sure you get details from the Debian security team. I'm not sure if this is a good idea, since some maintainers are actually public mailing lists. cheers, Thijs signature.asc Description: This is a digitally signed message part.
Re: No DSA-168[67]-1 on the tracker
On Wed, December 17, 2008 00:03, Francesco Poli wrote: It seems that there's no tracker page [1][2] for DSA-1686-1 [3] and DSA-1687-1 [4]. What's wrong? Something went wrong which brought the checkout the script uses to commit its update in, in a conflict state. I resolved that now, and Florian added the missing DSA's. Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: No DSA-1665-1 on the tracker
On Thu, November 20, 2008 12:59, Gerfried Fuchs wrote: The script itself (bin/dsa2list) is able to work through it properly, so I suspect a mail problem, DSA-1666-1 got added automatically again? There is a chance that the mail got lost or filtered. Another possibility is that dsa2list failed at that time because not all mirrors were yet in sync (perhaps related to the recent breakages of the dak scripts?). This is just guessing, I can delve into it later when I have more time. Still, I think the current solution performs very acceptably compared to what we had. Maybe the automatism should be put onto a more central box, I don't know where it is currently run and how stable network is there? It is currently run on one of my servers with very stable network connectivity (same connectivity as klecker). I could probably move it to alioth or similar when I find some time. One issue is that the current subscribed address receives emails as one of the first on the list, it would be nice to have a similar speedy solution when moving it. A really ideal solution would involve storing DSA data in a more structured form, and generating all output formats from that (e-mail, webpages, RSS, tracker, ...) from that instead of trying to parse mails after the fact. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Conflicting Information on CVE-2008-3699 Page
On Wed, October 22, 2008 23:59, Michael Gilbert wrote: The tracker page [1] for CVE-2008-3699 says Debian/stable not known to be vulnerable, yet in the next section it says that etch 1.4.4-4 vulnerable. These two statements contradict one another, and lead one clueless as to whether the issue has been fixed or not in stable. The tracker should be updated with correct information. In this case the issue is marked as a non-issue, the rationale is at the bottom of the page. That makes the top part say that we're not affected. The vulnerability indications below are not that meaningful for non-issues. We could see if we can improve the presentation of items marked as a non-issue. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Secure-testing-commits] r9775 - data/CVE
On Mon, September 8, 2008 13:09, [EMAIL PROTECTED] wrote: Regression fixed in wordnet - - wordnet 1:3.0-12 (medium; bug #497441) + - wordnet 1:3.0-13 (medium; bug #497441) Since the regression doesn't have security implications, wouldn't it be more accurate to keep the fixed-version at 1:3.0-12? Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#496851: yelp: does not correctly handle format strings for certain error messages
On Thursday 28 August 2008 03:51, Michael Gilbert wrote: what about a getting a fix for this issue into stable? it doesn't affect stable ok, can someone update the tracker [1] to reflect that this issue does not effect etch (yelp 2.14) and sarge (yelp 2.6)? I've updated the etch information. Sarge is not security-supported anymore since March. cheers, Thijs pgpuPvYb7fQw0.pgp Description: PGP signature
Re: [php-maint] Bug#479723: php 5.2.6 Security Fixes
Hi Moritz, On Tuesday 6 May 2008 12:16, Moritz Naumann wrote: http://www.php.net/ChangeLog-5.php lists several security fixes which are included in upstream PHP 5.2.6: Thanks for your help in matching the changelog issues to CVE names, I've put your suggestions into the tracker. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. (Ilia) -- CVE-2007-4850 (acc. to http://securityreason.com/achievement_securityalert/51) -- already tracked at http://security-tracker.debian.net/tracker/CVE-2007-4850 -- missing source package reference at http://security-tracker.debian.net/tracker/source-package/php5 It is not really missing, we track the issue but it's marked as a non-issue (we treat safe mode bypasses as non-issues) and thus not shown in that overview. * Upgraded PCRE to version 7.6 (Nuno) -- CVE-2008-0674 (best match, no reference found) -- not tracked yet -- possibly missing reference at http://security-tracker.debian.net/tracker/CVE-2008-0674 (but should really be tracked seperately) -- local code execution through buffer overflow The php5 package in Debian uses the system copy of PCRE, so this isn't an open issue. I've updated the tracker to add this information to that CVE. cheers, Thijs pgpAbklEYKU9b.pgp Description: PGP signature
Re: [Secure-testing-commits] r7940 - data/CVE
On Wed, January 16, 2008 14:08, Nico Golde wrote: do some more shifting on wordpress issues, associate them with the wordpress package, discard some irrelevant ones. Have checked none with lenny/sid, that needs to happen still. Do we really want our users in unstable to think that they are affected by a problem while we don't know it? We know of these issues that at least some Debian release is known to be affected. I think it is not good to wait until we have confirmed or disfirmed every Debian release until we add some item to a specific package. We often have a list of issues for a specific package of which we do not know of every suite whether it is affected or not, this can be added or updated later. I'd rather have a complete list of possible issues for a package, so someone that is going to work on that package has an overview of all currently known CVE id's, than to add things only when we're 100% sure. We do this all the time for our stable and oldstable users: some package with a fixed unstable version is added, and it is then shown as vulnerable in stable/oldstable. A while later someone adds information that stable/oldstable is not affected. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
temp names stop working when CVE assigned
Hi, I found a mail from a couple of months ago where this URL was used: http://security-tracker.debian.net/tracker/TEMP-000-009184 It was valid at the time, but later a CVE id got assigned for the issue. The URL is not for external reference, but this was an internal Debian mail. Would it be possible when a CVE gets assigned to such an issue, to keep the old URL and have it redirect to the CVE? Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Tracker inconsistency regarding gallery2?
Hi, On Friday 9 November 2007 23:52, Francesco Poli wrote: Hi all again! DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes CVE-2007-4650 for etch. The DSA page [2] seems to confirm this. However the CVE page [3] tells a different story: it states that version 2.1.2-2.0.etch.1 is vulnerable. Is this a security-tracker internal inconsistency? I've corrected this now, it was due to a misunderstanding by myself of the tracker information. Thijs pgpSfi5Axd1DG.pgp Description: PGP signature