Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2012-02-14 Thread Enrico Zini 
On Sun, Dec 14, 2008 at 10:11:23PM +0100, Florian Weimer wrote:

> > I think debian should do all that it can to avoid lag in security
> > updates, and that means getting the word out about the problem as soon
> > as possible (not addressed here) as well as getting word out when a
> > solution has been found asap (this suggestion addresses this problem).
> 
> It would help if we were able automatically extract diffs from the
> source RPMs published by other distributions.  This is something that
> should be scriptable, but it's not really trivial, either.

I've been working on a tool to map binary package names across
distributions: http://enricozini.org/2011/debian/distromatch/
and it can be queried at http://dde.debian.net/dde/q/distromatch/match/
or at http://dde.debian.net/distromatch-frontend.html
or just deployed as a command line tool:
http://www.enricozini.org/2011/debian/distromatch-deploy/

The results aren't so good at the moment because the data export from
the rpm world is temporarily down, but I've just come back from Fosdem
with a list of contacts for many distributions, and I'm going to follow
them up so we should have reliable data exports and fine tuning from as
many as possible.

At the moment it matches binary package names, but if source package
matching is needed it can be done, as the information is currently
there.

(I don't mean to propose distromatch as a solution to this issue, just
it looks like it may be relevant here)


Ciao,

Enrico

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: Digital signature

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-14 Thread Florian Weimer 
* Michael Gilbert:

 Since we don't just blindly apply fixes from other
 distributions and there still needs to be someone who can
 check this additional information I fail to see that this
 is needed for us.
>>>
>>> There is no harm in getting an overview of what other
>>> distributions do, though.
>>
>> The cost of maintaining that information separately has to be
>> considered, too.  A lot of this information is available through NVD,
>> albeit with some delay.
>
> As long as someone is willing to do the work, I don't see it as too
> burdensome.  It's simply a matter of watching the other distribution's
> security announcements (usually 0-10 per day) and updating the tracker
> with that information.  I would be willing to do it all myself.

Again, this information is already available from NVD.  Here's an
example:

  

> I think debian should do all that it can to avoid lag in security
> updates, and that means getting the word out about the problem as soon
> as possible (not addressed here) as well as getting word out when a
> solution has been found asap (this suggestion addresses this problem).

It would help if we were able automatically extract diffs from the
source RPMs published by other distributions.  This is something that
should be scriptable, but it's not really trivial, either.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-08 Thread Nico Golde 
Hi,
* Richard Hartmann <[EMAIL PROTECTED]> [2008-12-08 09:54]:
> On Mon, Dec 8, 2008 at 09:32, Nico Golde <[EMAIL PROTECTED]> wrote:
> > I think your imagination of the process is way to easy,
> > it's more than reading and directly editing the tracker, the
> > same process like the one for new CVE ids apply, checking if
> > the package is in Debian, if not checking if there is an itp
> > or if it's NFU,
> 
> Can be done with a script of a few lines (unless the whole
> thing has been renamed).

This can not be done with a script exactly because of this.

> > check other packages embedding this source
> > code,
> 
> Should be do-able with a few more lines, but will probably
> need manual verification.

Huh? Please come up with code if you think it's that easy. 
In the past we did some checks for this using clamav 
signatures and I can tell you, it's not that easy.

> > check other packages having similar code...
> 
> Needs manual verification & work.
> 
> Yet, none of these speak against a pointer of the fix already
> being available once the above steps have been finished. And
> that is what Michael is offering.
> It will certainly not make every issue disappear magically. But
> it may help in quite a few cases.

What speaks against this is that we already have serious 
manpower lacks with the normal tracker data and unless this 
is solved this is a waste of resources.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpaCw6ymCT6F.pgp
Description: PGP signature

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-08 Thread Richard Hartmann 
On Mon, Dec 8, 2008 at 09:32, Nico Golde <[EMAIL PROTECTED]> wrote:

> I think your imagination of the process is way to easy,
> it's more than reading and directly editing the tracker, the
> same process like the one for new CVE ids apply, checking if
> the package is in Debian, if not checking if there is an itp
> or if it's NFU,

Can be done with a script of a few lines (unless the whole
thing has been renamed).


> check other packages embedding this source
> code,

Should be do-able with a few more lines, but will probably
need manual verification.


> check other packages having similar code...

Needs manual verification & work.


Yet, none of these speak against a pointer of the fix already
being available once the above steps have been finished. And
that is what Michael is offering.
It will certainly not make every issue disappear magically. But
it may help in quite a few cases.


Richard



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-08 Thread Nico Golde 
Hi,
* Michael Gilbert <[EMAIL PROTECTED]> [2008-12-08 09:09]:
> >>> Since we don't just blindly apply fixes from other
> >>> distributions and there still needs to be someone who can
> >>> check this additional information I fail to see that this
> >>> is needed for us.
> >>
> >> There is no harm in getting an overview of what other
> >> distributions do, though.
> >
> > The cost of maintaining that information separately has to be
> > considered, too.  A lot of this information is available through NVD,
> > albeit with some delay.
> 
> As long as someone is willing to do the work, I don't see it as too
> burdensome.  It's simply a matter of watching the other distribution's
> security announcements (usually 0-10 per day) and updating the tracker
> with that information.  I would be willing to do it all myself.

I think your imagination of the process is way to easy, 
it's more than reading and directly editing the tracker, the 
same process like the one for new CVE ids apply, checking if 
the package is in Debian, if not checking if there is an itp 
or if it's NFU, check other packages embedding this source 
code, check other packages having similar code... I really 
would wonder if you would have the time to constantly check 
10 of these per day on your own.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpFoUYDU9BOj.pgp
Description: PGP signature

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-07 Thread Michael Gilbert 
>>> Since we don't just blindly apply fixes from other
>>> distributions and there still needs to be someone who can
>>> check this additional information I fail to see that this
>>> is needed for us.
>>
>> There is no harm in getting an overview of what other
>> distributions do, though.
>
> The cost of maintaining that information separately has to be
> considered, too.  A lot of this information is available through NVD,
> albeit with some delay.

As long as someone is willing to do the work, I don't see it as too
burdensome.  It's simply a matter of watching the other distribution's
security announcements (usually 0-10 per day) and updating the tracker
with that information.  I would be willing to do it all myself.

I think debian should do all that it can to avoid lag in security
updates, and that means getting the word out about the problem as soon
as possible (not addressed here) as well as getting word out when a
solution has been found asap (this suggestion addresses this problem).
 Security researchers will judge the distribution poorly because of
apparently large vulnerability windows (note that red hat is usually
praised for their small windows, but from the looks of it, they tend
to reserve all their problems until the fix is released, which is why
their numbers look so good).  I don't think relying on the NVD is good
enough because they take too long to update their information.

Regards,
Mike



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-07 Thread Florian Weimer 
* Richard Hartmann:

> On Sun, Dec 7, 2008 at 15:21, Nico Golde <[EMAIL PROTECTED]> wrote:
>
>> Since we don't just blindly apply fixes from other
>> distributions and there still needs to be someone who can
>> check this additional information I fail to see that this
>> is needed for us.
>
> There is no harm in getting an overview of what other
> distributions do, though.

The cost of maintaining that information separately has to be
considered, too.  A lot of this information is available through NVD,
albeit with some delay.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-07 Thread Richard Hartmann 
On Sun, Dec 7, 2008 at 15:21, Nico Golde <[EMAIL PROTECTED]> wrote:

> Since we don't just blindly apply fixes from other
> distributions and there still needs to be someone who can
> check this additional information I fail to see that this
> is needed for us.

There is no harm in getting an overview of what other
distributions do, though. At worst, the patch is discarded
and some time has been spent on reviewing it. At best,
duplicated effort is avoided.


Richard



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-07 Thread Nico Golde 
Hi,
* Michael Gilbert <[EMAIL PROTECTED]> [2008-12-07 15:03]:
[...] 
> Oftentimes, a fix gets released for other distributions, and then it
> takes weeks or months for Debian to apply the same fix.  I wonder if
> this is primarily a communication issue and whether including this
> type of information in the tracker would help reduce this lag.  The
> intent would be to increase the security team/package maintainers
> awareness of existing patches.
> 
> Some current examples (not a comprehensive list, I only spent 5
> minutes on this):
> 
> CVE-2008-4552: fixed in ubuntu [1]
> CVE-2008-2379: fixed in fedora [2]

Since we don't just blindly apply fixes from other 
distributions and there still needs to be someone who can 
check this additional information I fail to see that this 
is needed for us.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpFvptXQYOyX.pgp
Description: PGP signature

Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

2008-12-06 Thread Michael Gilbert 
Package: security-tracker
Severity: important

Oftentimes, a fix gets released for other distributions, and then it
takes weeks or months for Debian to apply the same fix.  I wonder if
this is primarily a communication issue and whether including this
type of information in the tracker would help reduce this lag.  The
intent would be to increase the security team/package maintainers
awareness of existing patches.

Some current examples (not a comprehensive list, I only spent 5
minutes on this):

CVE-2008-4552: fixed in ubuntu [1]
CVE-2008-2379: fixed in fedora [2]

I'm considering the severity important since leaving user's systems
vulnerable while a fix exists is a very bad thing.

If I get the time, I may look at trying to add this myself, but no
guarantees.  So if anyone else is interested in the problem, go for
it.

Mike

[1] http://www.ubuntu.com/usn/USN-687-1
[2] 
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00232.html



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]