Bug#1001451: Candidate script updates
On Wed, 26 Jan 2022 10:10:04 +0100 Salvatore Bonaccorso wrote: > Hi Neil, > > I think, if there are no objections from other, that we can look > forward into merging the grab-cve-fixes and merge-cve-list updates. https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/100 I haven't set a reviewer or assignee for the MR. > While testing there was one minor glitch which might be checked later > if we want to have it fixed, please double check if my claim is > correct. If a list to be merged contains a listing of a reserved CVE, > say something like > > CVE [temporary description] > RESERVED > - source fixedversion > NOTE: note > > then merge-cve-list will stumple over the RESERVED keyword. Bu this > can easily be workrounded by cleaning up the list one want to merge by > the RESERVED keywords. I can look at that as an extension of the existing bug report, I've also got the REJECTED support to add to update-vuln for Moritz. > Maybe you can put both in a MR and give others say until end of week > time to object on both scripts updates and then go ahead with the > merging. > > I have not looked at the third script (update-vuln), I had so far > little usecases to directly work with it. > > Regards and thanks a lot for your work on this part as well. > Salvatore -- Neil Williams = https://linux.codehelp.co.uk/ pgpHbmAsNX69d.pgp Description: OpenPGP digital signature
Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi! On Thu, Jan 27, 2022 at 08:34:32PM +0900, Hideki Yamane wrote: > Hi, > > policykit-1 in testing is noted as vulnerable but its version > 0.105-31.1~deb12u1 fixed CVE-2021-4034. > > Will the data in security-tracker be updated automatically? I'm aware of that, but I have not added a fixed version explicitly for testing, as this was not meant to be done this way. 0.105-31.1~deb12u1 was only uploaded to bookworm directly as the unstable->testing migration had to be stopped due to #1004272 due to the urgency of CVE-2021-4034. Regards, Salvatore
Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi Salvatore, On Thu, 27 Jan 2022 14:42:21 +0100 Salvatore Bonaccorso wrote: > > policykit-1 in testing is noted as vulnerable but its version > > 0.105-31.1~deb12u1 fixed CVE-2021-4034. > > > > Will the data in security-tracker be updated automatically? > > I'm aware of that, but I have not added a fixed version explicitly for > testing, as this was not meant to be done this way. 0.105-31.1~deb12u1 > was only uploaded to bookworm directly as the unstable->testing > migration had to be stopped due to #1004272 due to the urgency of > CVE-2021-4034. So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix should be delivered as usual proper way, right? And some people say "testing is vulnerable as security-tracker says" - but I want to confirm that it's not. You've pointed #1004272 as "binutils: missing RELRO header", does it affect policykit-1? (or maybe affects more widely?) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272 -- Hideki Yamane
Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
HI, On Thu, Jan 27, 2022 at 11:03:44PM +0900, Hideki Yamane wrote: > Hi Salvatore, > > On Thu, 27 Jan 2022 14:42:21 +0100 > Salvatore Bonaccorso wrote: > > > policykit-1 in testing is noted as vulnerable but its version > > > 0.105-31.1~deb12u1 fixed CVE-2021-4034. > > > > > > Will the data in security-tracker be updated automatically? > > > > I'm aware of that, but I have not added a fixed version explicitly for > > testing, as this was not meant to be done this way. 0.105-31.1~deb12u1 > > was only uploaded to bookworm directly as the unstable->testing > > migration had to be stopped due to #1004272 due to the urgency of > > CVE-2021-4034. > > So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix > should be delivered as usual proper way, right? Yes, I meant the upload of 0.105-31.1~deb12u1 was a temporary solution as packages in unstable were stopped from migrating. policykit-1 in unstable fixes the issue as well, but got build with the broken binutils. It got in meanwhile binNMU'ed as well after #1004272 is fixed. > And some people say "testing is vulnerable as security-tracker says" > - but I want to confirm that it's not. Yes this is correct. testing contains the fix for CVE-2021-4034 with 0.105-31.1~deb12u1 but it will soonish be superseeded with the proper 0.105-31.1 (at which point the security-tracker will show it correctly, we might add a temporary override if it confuses too much people). > You've pointed #1004272 as "binutils: missing RELRO header", does it > affect policykit-1? (or maybe affects more widely?) > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272 policykit-1 is not the only one affected by the binutils issue, some packages got built with the broken version. TTBOMK Adrian Bunk identified the broken ones and let for them schedule binNMUs accordinly with the fixed binutils version. Hope this helps! Regards, Salvatore p.s.: btw, apolgies, my initial mail was sent in too much hurry, and so was badly formulated to understand. Hope the above is more clarifying now.
CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi, policykit-1 in testing is noted as vulnerable but its version 0.105-31.1~deb12u1 fixed CVE-2021-4034. Will the data in security-tracker be updated automatically? -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp
Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi Salvatore, On Thu, 27 Jan 2022 15:52:15 +0100 Salvatore Bonaccorso wrote: > Yes, I meant the upload of 0.105-31.1~deb12u1 was a temporary solution > as packages in unstable were stopped from migrating. > > policykit-1 in unstable fixes the issue as well, but got build with > the broken binutils. It got in meanwhile binNMU'ed as well after > #1004272 is fixed. Now I get it clearly, thanks :) > Yes this is correct. testing contains the fix for CVE-2021-4034 with > 0.105-31.1~deb12u1 but it will soonish be superseeded with the proper > 0.105-31.1 (at which point the security-tracker will show it > correctly, we might add a temporary override if it confuses too much > people). Thank you. > policykit-1 is not the only one affected by the binutils issue, some > packages got built with the broken version. TTBOMK Adrian Bunk > identified the broken ones and let for them schedule binNMUs > accordinly with the fixed binutils version. I didn't notice this binutils issue. Hope this does not become much problem and we would be able to implement some tests that can catch it. Thank you for your replies, and you security team work. It's very hard work, tons of sensitive issues, need to be dealt with timely manner and never ends. Debian's reputation relies on such people. -- Hideki Yamane