Re: temp names stop working when CVE assigned

2007-12-13 Thread Florian Weimer 
* Thijs Kinkhorst:

> I found a mail from a couple of months ago where this URL was used:
> http://security-tracker.debian.net/tracker/TEMP-000-009184

This is really temporary, the 009184 part changes with each commit,
basically.

> Would it be possible when a CVE gets assigned to such an issue, to keep
> the old URL and have it redirect to the CVE?

This should work if there's a Debian bug report recorded in the
tracker.  In that case, the bug number is used instead of the sequence
of zeros, and this continues to work after the CVE has been assigned:

  

There has been some talk to use a shortened hash of the bug
description, but this hasn't been implemented yet.

-- 
Florian Weimer<[EMAIL PROTECTED]>
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

temp names stop working when CVE assigned

2007-12-13 Thread Thijs Kinkhorst 
Hi,

I found a mail from a couple of months ago where this URL was used:
http://security-tracker.debian.net/tracker/TEMP-000-009184

It was valid at the time, but later a CVE id got assigned for the issue.
The URL is not for external reference, but this was an internal Debian
mail.

Would it be possible when a CVE gets assigned to such an issue, to keep
the old URL and have it redirect to the CVE?


Thijs


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: scponly issue

2007-12-13 Thread Florian Weimer 
* Steffen Joeris:

> The scponly issue[0] is still marked as "high". The solution so far
> is to deactivate the svn support. To actually exploit it, one need
> to have a svn account already. Can we at least lower it to medium?
> Any thoughts on this?

This is a failure of a security component to enforce the configured
security policy, so "high" is warranted.

I'll make sure that we release an appropriate update for stable.

-- 
Florian Weimer<[EMAIL PROTECTED]>
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

scponly issue

2007-12-13 Thread Steffen Joeris 
Hi

The scponly issue[0] is still marked as "high". The solution so far is to 
deactivate the svn support. To actually exploit it, one need to have a svn 
account already. Can we at least lower it to medium? Any thoughts on this?

Cheers
Steffen

[0]: http://security-tracker.debian.net/tracker/TEMP-0437148-004893


signature.asc
Description: This is a digitally signed message part.