Processed: tagging 664866
Processing commands for cont...@bugs.debian.org: > tags 664866 - pending Bug #664866 [security-tracker] security-tracker: stable-backports not present in CVE and package pages. please add Removed tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 664866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664866 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141105191916643.transcr...@bugs.debian.org
Bug#664866: patch for: Include squeeze- and wheezy-backports in issue and package views. (Closes: #664866)
Hi Holger, On Thu, Sep 18, 2014 at 03:11:56PM +0200, Holger Levsen wrote: > attached is an updated patch I'd like to commit to svn. Backports is treated > as a subrelease like lts or security now. Disclaimer, only gave a quick look. Thanks again for the work :). I noticed when checking some random packages, that the version information tough is not correct. I take again the bind9 example for CVE-2014-0591. It will show (currently as per data based on date Thu Sep 18 14:44:28 UTC 2014, including that as that will change ...) Source Package Release Version Status bind9 (PTS) squeeze, squeeze (security) 1:9.7.3.dfsg-1~squeeze11 vulnerable squeeze (lts) 1:9.7.3.dfsg-1~squeeze12 fixed wheezy 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 vulnerable squeeze (backports) 1:9.8.4.dfsg.P1-6+nmu2+deb7u1~bpo60+1 fixed <-- not true wheezy (security) 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 fixed jessie, sid 1:9.9.5.dfsg-4 fixed wheezy (backports) 1:9.9.5.dfsg-4~bpo70+1 fixed I guess this is not directly a problem of the patch, but more what it uncovers? Without having digged into it: Is the problem that when backports is now considered as a subrelease, we will have the sorting of the versions squeeze, squeeze (security) <= squeeze (lts) <= squeeze (backports) and thus as 1:9.7.3.dfsg-1~squeeze12 <= 1:9.8.4.dfsg.P1-6+nmu2+deb7u1~bpo60+1, although this is not correct, as the fix was applied in 1:9.8.4.dfsg.P1-6+nmu2+deb7u2. The security-tracker does not handle "version tracking" as well as the BTS for example does. There this information for example is correct. https://bugs.debian.org/cgi-bin/version.cgi?width=;info=1;absolute=0;fixed=bind9%2F1%3A9.9.5.dfsg-1;fixed=bind9%2F1%3A9.8.4.dfsg.P1-6%2Bnmu2%2Bdeb7u2;height=;found=bind9%2F1%3A9.7.3.dfsg-1;package=bind9;format=png;collapse=1;ignore_boring=0 Thus for now (clearly) I'm not sure we really should include -backports ... Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140918144603.GA17223@eldamar.local
Bug#664866: patch for: Include squeeze- and wheezy-backports in issue and package views. (Closes: #664866)
Hi, attached is an updated patch I'd like to commit to svn. Backports is treated as a subrelease like lts or security now. cheers, Holger From f10dd6719ee2eabcdc77bdbed1fcd7abdacff75f Mon Sep 17 00:00:00 2001 From: Holger Levsen Date: Tue, 16 Sep 2014 01:08:08 +0200 Subject: [PATCH] Include squeeze- and wheezy-backports in issue and package views. (Closes: #664866) --- bin/tracker_service.py| 15 +-- lib/python/security_db.py | 34 -- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 9685f25..11bfa63 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -744,7 +744,7 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) self.nvd_text]) def page_status_release_unstable_like(self, path, params, url, - rel, title): + rel, subrel, title): bf = BugFilter(params) def gen(): @@ -757,8 +757,8 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) WHERE cve_name = st.bug_name) FROM source_package_status AS st, source_packages AS sp WHERE st.vulnerable AND sp.rowid = st.package -AND sp.release = ? AND sp.subrelease = '' -ORDER BY sp.name, st.bug_name""", (rel,)): +AND sp.release = ? AND sp.subrelease = ? +ORDER BY sp.name, st.bug_name""", (rel,subrel)): if bf.urgencyFiltered(urgency, vulnerable): continue if bf.remoteFiltered(remote): @@ -802,19 +802,22 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) return self.page_status_release_unstable_like( path, params, url, title='Vulnerable source packages in the unstable suite', -rel='sid') +rel='sid', +subrel='') def page_status_release_stable_backports(self, path, params, url): return self.page_status_release_unstable_like( path, params, url, title='Vulnerable source packages among backports for stable', -rel='wheezy-backports') +rel='wheezy', +subrel='backports') def page_status_release_oldstable_backports(self, path, params, url): return self.page_status_release_unstable_like( path, params, url, title='Vulnerable source packages among backports for oldstable', -rel='squeeze-backports') +rel='squeeze', +subrel='backports') def page_status_dtsa_candidates(self, path, params, url): bf = BugFilter(params) diff --git a/lib/python/security_db.py b/lib/python/security_db.py index ea6a436..09aeddd 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -385,7 +385,7 @@ class DB: AND NOT COALESCE((SELECT NOT vulnerable FROM source_packages AS secp, source_package_status AS secst WHERE secp.name = sp.name -AND secp.release = '%s' AND ( secp.subrelease = 'security' OR secp.subrelease = 'lts' ) +AND secp.release = '%s' AND ( secp.subrelease = 'security' OR secp.subrelease = 'lts' OR secp.subrelease = 'backports' ) AND secp.archive = sp.archive AND secst.bug_name = st.bug_name AND secst.package = secp.rowid), 0) @@ -432,7 +432,7 @@ class DB: return -1 self.db.createscalarfunction("release_to_number", release_to_number, 1) -subreleases = ['', 'security', 'lts'] +subreleases = ['', 'security', 'lts', 'backports'] def subrelease_to_number(u): try: return subreleases.index(u) @@ -566,6 +566,12 @@ class DB: if release == 'squeeze-lts': release = 'squeeze' subrelease = 'lts' +elif release == 'squeeze-backports': +release = 'squeeze' +subrelease = 'backports' +elif release == 'wheezy-backports': +release = 'wheezy' +subrelease = 'backports' cursor.execute( """DELETE FROM source_packages WHERE release = ? AND subrelease = ? AND archive = ?""", @@ -629,6 +635,12 @@ class DB: if release == 'squeeze-lts': release = 'squeeze' subrelease = 'lts' +elif release == 'squeeze-backports': +release = 'squeeze' +subrelease = 'backports' +elif release == 'wheezy-backports': +release = 'wheezy' +subrelease = 'backports' (unch, parsed) = self._parseFile(cursor, filename) unchanged = u
External check
CVE-2013-1945: RESERVED CVE-2014-6421: missing from list CVE-2014-6422: missing from list CVE-2014-6423: missing from list CVE-2014-6424: missing from list CVE-2014-6425: missing from list CVE-2014-6426: missing from list CVE-2014-6427: missing from list CVE-2014-6428: missing from list CVE-2014-6429: missing from list CVE-2014-6430: missing from list CVE-2014-6431: missing from list CVE-2014-6432: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541a7f33.89fmthmtadl7774l%atomo64+st...@gmail.com