DSA candidates

[Security Tracker]

abiword
--
exiv2
--
hdf5
--
icu
--
imagemagick
--
jython
--
libraw
--
libvorbis
--
mercurial
--
opencv
--
openexr
--
python2.7
--
rtpproxy
--
ruby-net-ldap
--
sensible-utils
--
swi-prolog
--
tkabber
--
vlc
--
whitedune
--
chromium-browser/stable
--
python3.5/stable
--
ruby2.3/stable
--
php-horde-crypt/oldstable
--
python-werkzeug/oldstable
--
python3.4/oldstable
--
ruby-http/oldstable
--
--
The above is a list of DSA candidates based on the tracker's information.
One should evaluate the candidates and either add them to dsa-needed.txt
or consider tagging them no-dsa.

Re: SUSE web link changes

[Andreas Stieger]

On 12/18/2017 08:56 PM, Salvatore Bonaccorso wrote:
> I enabled a slight variant of your proposal.

Thanks.

>> * link to SUSE CVE pages
>
> I have a question here: Red Hat has similar pages, but I have noticed
> that sometimes the CVE pages lack behind to the actual Bugzilla
> entries. Is the SUSE one always in sync?

The CVE pages will show up as soon as we open a public bug, add a CVE
specific note, or release an update referencing the CVE. If the bug was
originally embargoed, only the latter. The lag should be 1-2 hours,
whenever the generating script runs. But what may have tripped you up is
that not every CVE will be used as a bug alias in a 1:1 mapping. Looks
good as it is now.

Andreas

-- 
Andreas Stieger 
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Re: SUSE web link changes

[Salvatore Bonaccorso]

Hi Andreas,

On Mon, Dec 18, 2017 at 02:53:36PM +0100, Salvatore Bonaccorso wrote:
> Hi Andreas,
> 
> Thanks for your contribution! Very much appreciated!
> 
> On Mon, Dec 18, 2017 at 01:41:04PM +0100, Andreas Stieger wrote:
> > Hello Debian team,
> > 
> > please consider the following change to the tracker:
> > 
> > * fix SUSE capitalization
> 
> Applied! (and will be updated once security-tracker updated, will do
> later).
> 
> > * link to SUSE CVE pages
> 
> I have a question here: Red Hat has similar pages, but I have noticed
> that sometimes the CVE pages lack behind to the actual Bugzilla
> entries. Is the SUSE one always in sync? I think to remember to have
> seen here similar issue. In case of discrepancy I would like to see
> still the reference to the bugzilla, so maybe create two references?

I enabled a slight variant of your proposal. Patch attached.

Thanks a lot for your contribution!

Regards,
Salvatore
>From 0a9f14a5f9352a950946701639a698baac57b6ed Mon Sep 17 00:00:00 2001
From: carnil 
Date: Mon, 18 Dec 2017 19:52:09 +
Subject: [PATCH] Link additionally to bugzilla as well to SUSE's CVE pages

Thanks: Andreas Stieger 

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58680 e39458fd-73e7-0310-bf30-c45bca0a0e42
---
 bin/tracker_service.py | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 35c50adb23..87520ad460 100755
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -396,8 +396,10 @@ data source.""")],
   self.make_ubuntu_bug_ref(url, bug.name, 'Ubuntu'),
   ", ",
   self.make_gentoo_bug_ref(url, bug.name, 'Gentoo'),
-  ", ",
-  self.make_suse_bug_ref(url, bug.name, 'SUSE'),
+  ", SUSE ",
+  self.make_suse_bug_ref(url, bug.name, 'bugzilla'),
+  "/",
+  self.make_suse_cve_ref(url, bug.name, 'CVE'),
   ", ",
   self.make_mageia_bug_ref(url, bug.name, 'Mageia'),
   ", GitHub ",
@@ -1538,6 +1540,8 @@ Debian bug number.'''),
 def url_suse_bug(self, url, name):
 return url.absolute("https://bugzilla.novell.com/show_bug.cgi;,
 id=name)
+def url_suse_cve(self, url, name):
+return url.absolute("https://www.suse.com/security/cve/%s/; % name)
 def url_mageia_bug(self, url, name):
 return url.absolute("https://advisories.mageia.org/%s.html; % name)
 def url_github_code_bug(self, url, name):
@@ -1666,6 +1670,11 @@ Debian bug number.'''),
 name = cve
 return A(self.url_suse_bug(url, cve), name)
 
+def make_suse_cve_ref(self, url, cve, name=None):
+if name is None:
+name = cve
+return A(self.url_suse_cve(url, cve), name)
+
 def make_mageia_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve
-- 
2.15.1

Re: SUSE web link changes

[Salvatore Bonaccorso]

Hi Andreas,

Thanks for your contribution! Very much appreciated!

On Mon, Dec 18, 2017 at 01:41:04PM +0100, Andreas Stieger wrote:
> Hello Debian team,
> 
> please consider the following change to the tracker:
> 
> * fix SUSE capitalization

Applied! (and will be updated once security-tracker updated, will do
later).

> * link to SUSE CVE pages

I have a question here: Red Hat has similar pages, but I have noticed
that sometimes the CVE pages lack behind to the actual Bugzilla
entries. Is the SUSE one always in sync? I think to remember to have
seen here similar issue. In case of discrepancy I would like to see
still the reference to the bugzilla, so maybe create two references?

Regards,
Salvatore

SUSE web link changes

[Andreas Stieger]

Hello Debian team,

please consider the following change to the tracker:

* fix SUSE capitalization
* link to SUSE CVE pages

See patch attached,
Andreas

-- 
Andreas Stieger 
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Index: bin/tracker_service.py
===
--- bin/tracker_service.py	(revision 58676)
+++ bin/tracker_service.py	(working copy)
@@ -397,7 +397,7 @@ data source.""")],
   ", ",
   self.make_gentoo_bug_ref(url, bug.name, 'Gentoo'),
   ", ",
-  self.make_suse_bug_ref(url, bug.name, 'SuSE'),
+  self.make_suse_bug_ref(url, bug.name, 'SUSE'),
   ", ",
   self.make_mageia_bug_ref(url, bug.name, 'Mageia'),
   ", GitHub ",
@@ -1536,8 +1536,7 @@ Debian bug number.'''),
 def url_gentoo_bug(self, url, name):
 return url.absolute("https://bugs.gentoo.org/show_bug.cgi;, id=name)
 def url_suse_bug(self, url, name):
-return url.absolute("https://bugzilla.novell.com/show_bug.cgi;,
-id=name)
+return url.absolute("https://www.suse.com/security/cve/%s/; % name)
 def url_mageia_bug(self, url, name):
 return url.absolute("https://advisories.mageia.org/%s.html; % name)
 def url_github_code_bug(self, url, name):


signature.asc
Description: OpenPGP digital signature