tags 582196 moreinfo
thanks
Hi Mike,
On Fri, May 21, 2010 03:12, Michael Gilbert wrote:
>> That's not a bug in the tracker, you should simply only add entries
>> to DSA/list which point to security problems.
>
> i am going to work on this problem, so please don't override my
> reminder without du
Package: security-tracker
Severity: wishlist
Hi,
In the overview per-package, the tracker currently shows for each CVE
name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy,
wheezy-security, jessie, sid.
I think for the overviews it would be preferable if the table just shows
On Tue, September 16, 2014 09:10, Paul Wise wrote:
> Could we get a new URL that also has information about unimportant and
> resolved issues and DSAs? I would suggest a format like what lintian
> uses:
Not sure what you'd use that additional info for, but I would heartily
disrecommend to display
On Mon, September 15, 2014 16:07, Holger Levsen wrote:
> control: tags -1 + pending
>
> Hi,
>
> see attached. This version also deals with several URLs in one note :)
>
> It also works for all three recent examples of Salvatore.
Go
Thijs
--
To UNSUBSCRIBE, email to debian-security-tracker-req
On Mon, September 15, 2014 01:36, Holger Levsen wrote:
> Hi,
>
> See attached or branch html5+external_css from
> ssh://git.debian.org/git/collab-maint/secure-testing.git
>
> These patches turn the html into html5 and introduce a modern, slick css
> style
> inspired from tracker.d.o - enjoy! :)
>
>
On Mon, September 15, 2014 07:33, Henri Salo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote:
>> My guess is that the only reason that subversion is still used is
>> inertia and that people would be happier with git. However, I'm cu
On Fri, September 12, 2014 15:14, Holger Levsen wrote:
> Hi,
>
> On Freitag, 12. September 2014, Holger Levsen wrote:
>> attached are three small no brainer fixes I'd like to apply, please
>> confirm
>
> thanks to Thijs, this diff even got smaller and better, see attached.
>
> I've verified that th
Hi Mathieu,
On Wed, April 16, 2014 19:58, vielg...@gmail.com wrote:
> Hi Thijs,
>
> Yes, thanks, but is there a list .txt or .gz which sum up everything ?
The source data is plain text:
http://anonscm.debian.org/viewvc/secure-testing/data/CVE/
What may also be of use is the source data for the d
Hi Mathieu.
On Wed, April 16, 2014 18:59, vielg...@gmail.com wrote:
> Is there a way to get the list of the correcting packets for each CVE in
> Debian ?
Yes, if you go to https://security-tracker.debian.org/tracker/ and search
for a CVE name in the text field, you will get a list of the packages
On Fri, May 17, 2013 10:50, Peter Palfrader wrote:
> On Fri, 17 May 2013, Thijs Kinkhorst wrote:
>
>> Hi dsa,
>>
>> On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote:
>> > Hi admins,
>> >
>> > It was noted that the security tracker now blanket re
Hi dsa,
On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote:
> Hi admins,
>
> It was noted that the security tracker now blanket redirects to
> https://security-tracker.debian.org. This is fine of course for us DD's,
> but it presents a problem for externals using it. The tra
Hi admins,
It was noted that the security tracker now blanket redirects to
https://security-tracker.debian.org. This is fine of course for us DD's,
but it presents a problem for externals using it. The tracker is often
used by e.g. different distributions like RH and Gentoo, which may not
have the
On Wed, February 27, 2013 04:43, Steven Chamberlain wrote:
> Dear Security Team,
>
> In the tracker, CVE-2011-1092 and CVE-2011-1148 "in PHP before 5.3.6"
> are correctly shown as fixed in 5.3.3-7+squeeze14. But 5.4.4-13 is
> still suggested as being vulnerable.
>
> The upstream changelog for 5.4.
Hi Florian,
On Fri, February 8, 2013 21:28, Florian Weimer wrote:
> Good point. We shouldn't have experimental in the tracker because it
> doesn't work - in general, the fixed versions from unstable cannot be
> applied there.
As there was another confusion about this today, I've committed r21301
On Sat, June 16, 2012 00:40, s...@powered-by-linux.com wrote:
> Hi Team,
>
> I had prepared a new security-stable version for mantis package to fix
> some new CVE's, and I found out that CVE-2011-3578 [1], patched on mantis
> 1.1.8+dfsg-10squeeze1, from 2011, was not yet updated in the security
> t
On Sun, September 11, 2011 22:28, Paul van der Vlis wrote:
> Hello,
>
> I see security issues in Django on the Django website,
> https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
>
> But I don't see anything in the Debian security tracker about it:
> http://security-tracker
Hi Enno,
On Mon, June 6, 2011 14:14, Enno Gröper wrote:
> the link at [1] to http://svn.debian.org/wsvn/secure-testing/data/
> doesn't work anymore. Last time I (my Newsreader) saw it working was May
> 20th.
> The repository itself seems to still be there.
> Is there any special reason for hiding
On Fri, June 3, 2011 22:05, Francesco Poli wrote:
> On Fri, 3 Jun 2011 20:01:05 +0200 Thijs Kinkhorst wrote:
>
>> On Fri, June 3, 2011 00:04, Francesco Poli wrote:
>> > Hi,
>> > DSA-2252-1 [1] talks about dovecot, but the tracker [2] claims that
>> the
>>
On Fri, June 3, 2011 00:04, Francesco Poli wrote:
> Hi,
> DSA-2252-1 [1] talks about dovecot, but the tracker [2] claims that the
> DSA is about mahara.
>
> Is there something wrong?
> Could someone fix it, please?
Thanks, a copy/paste error in SVN which has since been fixed.
Thijs
--
To UNSU
On Monday 14 February 2011 19:07:41 Francesco Poli wrote:
> No, wait: it fails again with the same exact proxy error as yesterday!
>
> What's going on?
I just restarted the tracker after updating the code to the most recent
version and it seems to work again.
Thijs
signature.asc
Description:
On Thu, February 10, 2011 03:40, Michael Gilbert wrote:
> On Wed, 9 Feb 2011 22:12:21 +0100 Thijs Kinkhorst wrote:
>
>> On Wed, February 9, 2011 19:50, Francesco Poli wrote:
>> > On the other hand, the security tracker seems to still think that
>> lenny
>> > is
On Wed, February 9, 2011 19:50, Francesco Poli wrote:
> On the other hand, the security tracker seems to still think that lenny
> is stable [1] and squeeze is testing [2], while I have been unable to
> find any traces of wheezy...
>
> Is there something that should be done manually, in order to let
On Wed, December 22, 2010 21:35, Francesco Poli wrote:
>> I ran a script that automatically added released DSA's to data/DSA/list.
>> As
>> this script uses bin/dsa2list and that tool cannot cope with the changed
>> advisory format, it doesn't make sense to keep committing half parsed
>> advisories
Hi,
I ran a script that automatically added released DSA's to data/DSA/list. As
this script uses bin/dsa2list and that tool cannot cope with the changed
advisory format, it doesn't make sense to keep committing half parsed
advisories.
Cheers,
Thijs
signature.asc
Description: This is a digit
On Saturday 13 November 2010 11:14:16 Petter Reinholdtsen wrote:
> I just created http://bugs.debian.org/603344 > to track
> CVE-2010-2941 in BTS. You might want to add a reference to it from
> http://security-tracker.debian.org/tracker/CVE-2010-2941 >.
Done, thanks.
Thijs
signature.asc
Descri
On tongersdei 9 Septimber 2010, Francesco Poli wrote:
> it looks like something is missing in the tracker data [1] for
> DSA-2107-1 [2] !
Completed, thanks!
Thijs
signature.asc
Description: This is a digitally signed message part.
Hi,
Is there a reason that the DNS name security-tracker.debian.net has been
removed? This seems problematic to me since there's still quite some links to
that, most notably debsecan in stable.
Unless there's a good reason I'd like to reinstate it.
Cheers,
Thijs
signature.asc
Description: Th
On moandei 19 July 2010, Mike Hommey wrote:
> As I started to work on next round of mozilla security updates, I found
> out that CVE-2010-1206 doesn't apply to 3.0.x and earlier, because the
> faulty code was introduced in 3.1b1 by
> https://bugzilla.mozilla.org/show_bug.cgi?id=254714
> Also, the v
Hi all,
On Tue, May 18, 2010 00:54, Michael Gilbert wrote:
> Author: gilbert-guest
> Date: 2010-05-17 22:54:10 + (Mon, 17 May 2010)
> New Revision: 14698
>
> Modified:
>data/CVE/list
>data/DSA/list
> Log:
> NFUs, new issues, and dsa-2038-2
> Modified: data/DSA/list
> =
Hi Neil,
On sneon 15 Maaie 2010, Neil Williams wrote:
> I find it confusing that either CVE is still listed in the security
> tracker at all.
>
> When a CVE bug is closed as invalid or illogical, why isn't the CVE
> also deleted or removed? Leaving it as "vulnerable but unimportant" is
> erroneou
On snein 3 Jannewaris 2010, Michael Gilbert wrote:
> I've updated the sql logic to workaround a bug in lenny's aspw (and
> the code is actually now a bit cleaner...for sql anyway). Please push
> this new commit to the live tracker.
Ulib/python/security_db.py
Updated to revision 13701.
--
On sneon 2 Jannewaris 2010, Michael Gilbert wrote:
> It appears that new commits to the tracker service do not
> automatically go live (based on the above syntax checker message
> recieved from sectrac...@soler.debian.org). Anyway, can someone with
> appropriate permissions update the repo there
On sneon 2 Jannewaris 2010, Michael Gilbert wrote:
> I spent some time looking around alioth today to try to figure out this
> problem. It looks like the syntax checking script executes itself in an
> old version of the tracker (located at /home/groups/secure-testing/repo),
> which is why it is no
On moandei 9 Novimber 2009, Jakub Wilk wrote:
> NOTE: embeds msgfmt.py script
> - - mailman (embed)
> + - mailman (embed; #555416)
Although this is installed into the Debian package, it is never used and not
installed into the path. What is the risk here? I can see to removi
On snein 24 Maaie 2009, Joey Hess wrote:
> CVE-2007-2004 (Multiple SQL injection vulnerabilities in
> InoutMailingListManager 3.1 ...)
> - {DTSA-133-1}
> NOT-FOR-US: InoutMailingListManager
Would it be possible for the tracker to error out on this when first
encountering the situa
On moandei 11 Maaie 2009, Michael S. Gilbert wrote:
> security team,
>
> should the DSA announcement be reissued to correct/clarify?
That should not be necessary. The DSA mails pertain to the state of afairs in
old/stable; we mention sid fixed versions as a courtesy but I don't see it
necessary
On moandei 11 Maaie 2009, Michael S. Gilbert wrote:
> security team,
>
> should the DSA announcement be reissued to correct/clarify?
That should not be necessary. The DSA mails pertain to the state of afairs in
old/stable; we mention sid fixed versions as a courtesy but I don't see it
necessary
On freed 17 April 2009, Kees Cook wrote:
> For embargoed issues, this is supposed to happen already, by way of
> vendor-sec. Who all from Debian is on that list, and what are the policies
> and procedures you have in place for contacting maintainers?
The Security Team is on that list. We do conta
On Wed, April 1, 2009 22:00, Michael S. Gilbert wrote:
> Even though it's not always daily, this is still a significant
> improvement over previous years, in which updates would occur once a week
> or less. For the CVE data updates, our security processes require manual
> steps as part of a defense
On moandei 30 Maart 2009, Michael S. Gilbert wrote:
> since i am doing security research, i would really like to see these
> included in the tracker so i can make use of the debian tracking system,
> rather than coming up with my own special solution just for these issues.
If this really makes you
On moandei 30 Maart 2009, Michael S. Gilbert wrote:
> thanks for the info. missing info could give people the impression
> that something is awry. maybe some sort of note should be added. for
> example:
>
> [23 Mar 2009] DSA-1753-1 iceweasel - end of security support in etch
> NOTE: no
On moandei 30 Maart 2009, Michael S. Gilbert wrote:
> there are a couple DSAs missing from the security tracker.
> DSA-1753 is
> the end of life for iceweasel, should any kind of note be made for
> that in the tracker?
I don't think so, as there are no issues that entry would mark as fixed it
On Sat, December 20, 2008 14:22, Steffen Joeris wrote:
> I wasn't aware of the new dak feature on ftp-master that uploads to
> testing-security, which are newer than the unstable version get put into
> unstable as well.
Just to set the record straight: this is actually an old feature, which
has ju
On Wed, December 17, 2008 00:03, Francesco Poli wrote:
> It seems that there's no tracker page [1][2] for DSA-1686-1 [3] and
> DSA-1687-1 [4]. What's wrong?
Something went wrong which brought the checkout the script uses to commit
its update in, in a conflict state. I resolved that now, and Flori
On Thu, November 20, 2008 12:59, Gerfried Fuchs wrote:
> The script itself (bin/dsa2list) is able to work through it properly,
> so I suspect a mail problem, DSA-1666-1 got added automatically again?
There is a chance that the mail got lost or filtered.
Another possibility is that dsa2list failed
On Friday 24 October 2008 06:13, Michael Gilbert wrote:
> The CVE-2008-3230 page seems to have the same problem. What would
> need to be done to fix this? I may have some time to look at the code
> and make it work better -- if someone can tell me where to start. Is
> the code that generates the
On Wed, October 22, 2008 23:59, Michael Gilbert wrote:
> The tracker page [1] for CVE-2008-3699 says "Debian/stable not known
> to be vulnerable", yet in the next section it says that "etch 1.4.4-4
> vulnerable". These two statements contradict one another, and lead one
> clueless as to whether th
On Mon, September 8, 2008 13:31, Gerfried Fuchs wrote:
> Anyway, please find attached a patch that should fix the issue. Most
> xulrunner entries here were marked as , some were marked with the
> icedove version number instead of the xulrunner one.
Thanks for your help. I've applied the patch. Can
On Mon, September 8, 2008 13:09, [EMAIL PROTECTED] wrote:
> Regression fixed in wordnet
> - - wordnet 1:3.0-12 (medium; bug #497441)
> + - wordnet 1:3.0-13 (medium; bug #497441)
Since the regression doesn't have security implications, wouldn't it be
more accurate to keep the fixed-version
On Thursday 28 August 2008 03:51, Michael Gilbert wrote:
> >> what about a getting a fix for this issue into stable?
> >
> > it doesn't affect stable
>
> ok, can someone update the tracker [1] to reflect that this issue does
> not effect etch (yelp 2.14) and sarge (yelp 2.6)?
I've updated the etc
On Tuesday 19 August 2008 13:14, Nico Golde wrote:
> > Should we remove the mktemp "temp issue" from the tracker or rather mark
> > it as no-dsa or unimportant?
>
> Removed it, I think Steves suggestion is fine.
Ok. Of course the fix in lenny is a win since even unsafe use gets a bit
safer :-)
On Monday 18 August 2008 22:26, Nico Golde wrote:
> Hi Steven,
>
> * Steven M. Christey <[EMAIL PROTECTED]> [2008-08-18 22:09]:
> > On Mon, 18 Aug 2008, Nico Golde wrote:
> > > This is known but as I wrote in the bug report:
> > > "the file is safely created with O_EXCL and 0600, still
> > > unsafe
On Monday 4 August 2008 19:50, Thijs Kinkhorst wrote:
> Following a short interchange with Steve from Mitre I've discovered that
> http://cve.mitre.org/data/downloads/allitems.html.gz probably isn't the
> best source to get our CVE's into the tracker.
Oh and besides,
On Thursday 24 July 2008 00:31, Michael Gilbert wrote:
> according to the CVE page [1], the flaw described by CVE-2008-2826 at
> most could be used to cause a denial of service by local users.
> hence, this should be listed as a low-urgency issue in the tracker.
> thanks.
Indeed. Updated, thanks!
Hey all,
Following a short interchange with Steve from Mitre I've discovered that
http://cve.mitre.org/data/downloads/allitems.html.gz probably isn't the best
source to get our CVE's into the tracker.
We have the following options:
- Keep the current feed.
It works. But, it's only updated a fe
Hi Gerfried,
On Thu, July 24, 2008 13:41, Gerfried Fuchs wrote:
> Personally I have no problems with following the reports from both the
> stable and testing team and go through them for the time being, if people
> don't see much point in having it non-manually tracked, but still I guess
> we can
On Wed, July 30, 2008 10:43, Steffen Joeris wrote:
> I suppose you still need to add the distribution names (if oldstable is
> still supported it would be three for all distros, so it shouldn't be too
> much).
I'm not sure what value that would add. Aren't most candidate packages for
this function
On Friday 25 July 2008 01:07, Francesco Poli wrote:
> > > I think I've noticed another DSA with tracker inconsistencies.
> > > DSA-1615-1 [1] claims that several CVEs are fixed in
> > > xulrunner/1.9.0.1-1 for sid. On the other hand, most of these CVEs
> > > (which are linked from the DSA tracker
Hi Francesco,
> I think I've noticed another DSA with tracker inconsistencies.
> DSA-1615-1 [1] claims that several CVEs are fixed in xulrunner/1.9.0.1-1
> for sid. On the other hand, most of these CVEs (which are linked from the
> DSA tracker page [2]) are not reported as fixed in
> xulrunner/1.
On Sat, July 5, 2008 15:01, Nico Golde wrote:
>> I've started something that looks like this but it is not too well
>> tested at this point. I'll keep an eye on it.
>
> How does this script work, would it also work for
> testing-security uploads?
Quite simple really: it's just based on the debian-
On Wed, July 2, 2008 23:05, Moritz Muehlenhoff wrote:
> On Fri, Jun 27, 2008 at 09:29:58AM +0200, Thijs Kinkhorst wrote:
>
>> On Thursday 26 June 2008 23:52, Moritz Muehlenhoff wrote:
>>
>>>> The DSA parser seems to work in 99% of the cases (rough estimate
>>&
On Thursday 26 June 2008 23:52, Moritz Muehlenhoff wrote:
> > The DSA parser seems to work in 99% of the cases (rough estimate ;-)).
> > What would you think of automatically adding new DSA's appearing on the
> > d-s-a list and correct those 1% that go wrong afterwards?
>
> What's the status? Has t
Guys,
The DSA parser seems to work in 99% of the cases (rough estimate ;-)).
What would you think of automatically adding new DSA's appearing on the
d-s-a list and correct those 1% that go wrong afterwards?
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe".
Hi Francesco,
On Sunday 18 May 2008 12:12, Francesco Poli wrote:
> Hi all!
>
> I don't understand which vulnerabilities is DTSA-131-1 supposed to fix.
> The tracker page [1] does not mention any CVE or bug.
> The svn repository file data/DTSA/list does not either.
A CVE id for that bug is still
Package: security-tracker
Severity: wishlist
Hi,
Currently, issues marked as unimportant disappear entirely off the
radar, which is not a big problem. I think for clarity however it
would be better if they were displayed somewhere so users can see we
know that such a CVE applies to the package, b
Hi Moritz,
On Tuesday 6 May 2008 12:16, Moritz Naumann wrote:
> http://www.php.net/ChangeLog-5.php lists several security fixes which are
> included in upstream PHP 5.2.6:
Thanks for your help in matching the changelog issues to CVE names, I've put
your suggestions into the tracker.
> * Fix
On Sunday 4 May 2008 02:52, Michael Gilbert wrote:
> On 5/3/08, Michael Gilbert wrote:
> > it appears that the recent moodle issues (CVE-2006-146 and
> > CVE-2006-147) never affected sid (they were only applicable to
> > sarge [1]).
>
> i made a mistake in this sentance. the issues did originally
On Sunday 4 May 2008 02:39, Michael Gilbert wrote:
> it appears that the recent abiword issue (CVE-2006-4513) was fixed in sid
> a while back (see bug #396360 [1]). it doesn't appear that the abiword
> maintainer ever sent a message to let the security team know about this.
> however, in the threa
Hi Michael,
On Sunday 4 May 2008 01:59, Michael Gilbert wrote:
> On 3/23/08, Michael Gilbert wrote:
> > curious as to whether the issue was fixed, i looked through the
> > 1.0.16-1 source code and compared it to the DSA-1505-1 patch for etch
> > [2]. it looks to me like the patch is indeed applie
On Thursday 1 May 2008 12:40, Francesco Poli wrote:
> > Instead of writing lengthy mails, feel free to commit them yourselves
> > in the future:
> > http://security-tracker.debian.net/tracker/data/report
>
> I have mixed feelings about your reply.
I think what Moritz means is the following.
Missi
Hi all,
Is there a way we can make the tracker aware that sarge is now EOL'ed? If I
view a package's details there are vulnerabilities under "Open Issues" that
only affect sarge. I believe these should not be listed under Open if they
are resolved in etch/lenny/sid.
cheers,
Thijs
pgpQ40cAiN
Hi Francesco,
On Friday 25 April 2008 00:31, Francesco Poli wrote:
> DSA-1554-1 [1] was issued back on Tuesday, but
> there seems to be no corresponding page on the tracker (query [2]
> currently leads to a "Not found" response).
>
> More recent DSAs [3][4][5][6][7][8][9][10] are currently in a si
On Thu, February 14, 2008 19:14, Francesco Poli wrote:
> DSA-1495-1 [1] and DSA-1496-1 [2] were issued back on Tuesday, but
> there seem to be no corresponding pages on the tracker (queries [3][4]
> currently lead to a "Not found" response).
These have been added now. Thanks for the note.
Thijs
On Wed, January 16, 2008 14:08, Nico Golde wrote:
>> do some more shifting on wordpress issues, associate them with the
>> wordpress package, discard some irrelevant ones. Have checked none with
>> lenny/sid, that needs to happen still.
>
> Do we really want our users in unstable to think that they
Hi,
I found a mail from a couple of months ago where this URL was used:
http://security-tracker.debian.net/tracker/TEMP-000-009184
It was valid at the time, but later a CVE id got assigned for the issue.
The URL is not for external reference, but this was an internal Debian
mail.
Would it be
On Tuesday 11 December 2007 09:37, [EMAIL PROTECTED] wrote:
> Log:
> CVE-2007-6205 fixed in serendipity 1.2.1-1
> CVE-2007-6205
> RESERVED
> + - serendipity 1.2.1-1 (low)
This issue is: XSS through remote RSS feeds.
I would rate it as unimportant myself: it requires using this specifi
Hi all,
phpMyAdmin upstream issued PMASA-2007-8: a cross site scripting issue. I've
uploaded the new upstream right away; etch & sarge are not affected. So the
status currently is that no Debian suite is still affected. There's no
associated CVE id.
Should I record this issue in the tracker so
On Sunday 11 November 2007 21:12, [EMAIL PROTECTED] wrote:
> Modified: data/DSA/list
> ===
> --- data/DSA/list 2007-11-11 18:50:43 UTC (rev 7279)
> +++ data/DSA/list 2007-11-11 20:12:51 UTC (rev 7280)
> @@ -1,3 +1,7 @@
> +[09 N
Hi,
On Friday 9 November 2007 23:52, Francesco Poli wrote:
> Hi all again!
>
> DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> CVE-2007-4650 for etch.
> The DSA page [2] seems to confirm this.
> However the CVE page [3] tells a different story: it states that version
> 2.1.2-2
Hi All,
On Friday 9 November 2007 23:52, Francesco Poli wrote:
> Hi all again!
>
> DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> CVE-2007-4650 for etch.
> The DSA page [2] seems to confirm this.
> However the CVE page [3] tells a different story: it states that version
> 2.1
On Friday 5 October 2007 09:38, [EMAIL PROTECTED] wrote:
> Modified:
>data/DSA/list
> Log:
> DSA-1383 gforge
Is there a reason we can't make a script that automatically does this whenever
it receives a mail from debian-security-announce? Or has it just not been
done yet?
Thijs
pgpzPgpCyP
On Mon, September 24, 2007 09:42, Gregory Colpart wrote:
> I report that imp4/etch is *not* vulnerable for
> CVE-2007-1515 (corrected in #415117). I add CVE-id to imp4's
> changelog in our GNU Arch repository but I mention it here because no
> upload is expected in next weeks.
Thanks for letting u
Hi all,
I'm trying to find out who added some information to the tracker and with
what rationale, i.e. I'm looking for the commit message related to some
ircd-ircu issues marked as not-vulnerable.
I of course know about 'svn annotate', but this does not seem to work: it
times out for me when tryi
On Wed, September 19, 2007 07:22, Mike Hommey wrote:
> So as you know, CVE-2006-4965 has been revived is MFSA-2007-28 [1], but
> as far as I can tell, it's a Windows only issue.
Noted, thanks for keeping us posted.
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubsc
Hi all,
I've installed the pre-commit hook that checks the syntax of committed files
to the repository now. If you get an error you probably need to fix your
commit :-) If you encounter any trouble please let me know. Commits with log
message "automatic update" are ignored for the check.
One t
On Fri, August 31, 2007 17:24, Moritz Muehlenhoff wrote:
> Thijs Kinkhorst wrote:
>> Let me know of any objections or comments.
>
> There are some corner cases, where the cron job update can result in a
> invalid
> syntax. This should be handled, so that no situation occurs, w
Hi all,
The security tracker frontend encodes JavaScript, resulting in an invalid
if-construct like below (the > in the third line):
function onSearch(query) {
if (old_query_value == "") {
if (query.length > 5) {
I'm not really familiar with the web toolkit that it uses, so maybe someone
On Thu, August 30, 2007 12:53, Florian Weimer wrote:
> * Thijs Kinkhorst:
>
>
>> svnlook cat -t "$TXN" "$REPOS" "$file" > $tmpfile cd
>> /home/groups/secure-testing/repo
>> python bin/check-syntax CVE $tmpfile
>
> I could chan
Hi all,
While working with the tracker, I noticed that:
1) From time to time error mails are generated when invalid commits are done.
2) A syntax checker exists.
This sounds like an ideal use case for a pre-commit SVN hook: the commit is
checked for syntax, and rejected to the user when the synt
89 matches
Mail list logo
