Bug#1053702: marked as done (NIST data feed to be retired in December 2023)
Your message dated Wed, 13 Dec 2023 12:43:47 +0100 with message-id <035ff026-f151-4a03-a8c6-2710fa152...@debian.org> and subject line Re: Bug#1053702: NIST data feed to be retired in December 2023 has caused the Debian Bug report #1053702, regarding NIST data feed to be retired in December 2023 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important The security tracker currently uses the JSON feeds as linked from https://nvd.nist.gov/vuln/data-feeds. Those data feeds will be retired on December, 15th 2023, so in a bit more then two months. After that the information will be only available via the API. See also the announcement: https://nvd.nist.gov/General/News/change-timeline Regards, Bastian -- Live long and prosper. -- Spock, "Amok Time", stardate 3372.7 --- End Message --- --- Begin Message --- On 11/12/2023 19:00, Emilio Pozuelo Monfort wrote: Control: forwarded -1 https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/155 On 02/11/2023 07:01, Salvatore Bonaccorso wrote: Control: tags -1 + confirmed Hi, On Mon, Oct 09, 2023 at 11:48:59AM +0200, Bastian Blank wrote: Package: security-tracker Severity: important The security tracker currently uses the JSON feeds as linked from https://nvd.nist.gov/vuln/data-feeds. Those data feeds will be retired on December, 15th 2023, so in a bit more then two months. After that the information will be only available via the API. See also the announcement: https://nvd.nist.gov/General/News/change-timeline Thanks. TTBOMK, but will have to check, we only nowdays use the NVD feed for the descriptions. If that's the case we will switch to the MITRE provided feeds as we use for the rest already. Done in the above MR. This is live now in the security-tracker. Cheers, Emilio--- End Message ---
Processed: Re: Bug#1053702: NIST data feed to be retired in December 2023
Processing control commands: > tags -1 + confirmed Bug #1053702 [security-tracker] NIST data feed to be retired in December 2023 Added tag(s) confirmed. -- 1053702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#987283: marked as done (Filter list for "unreported" view)
Your message dated Tue, 30 May 2023 06:18:33 +0200 with message-id and subject line Fixed has caused the Debian Bug report #987283, regarding Filter list for "unreported" view to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 987283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987283 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist https://security-tracker.debian.org/tracker/status/unreported should gain a filter list, since there are some packages for which filing bugs makes no sense (e.g. the linux kernel, which is tracked without filed bugs in the BTS or various legacy Nvidia packages, which are known vulnerable, but still kept around for hw compat). Ideally we simply have a list of source packages kept under CVE/* which are filtered out. Cheers, Moritz --- End Message --- --- Begin Message --- MR is merged https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/114 Anton--- End Message ---
Bug#1030321: marked as done (security-tracker: Add support to fetch information for non-free-firmware archive section)
Your message dated Sat, 4 Feb 2023 12:03:47 +0100 with message-id and subject line Re: Bug#1030321: security-tracker: Add support to fetch information for non-free-firmware archive section has caused the Debian Bug report #1030321, regarding security-tracker: Add support to fetch information for non-free-firmware archive section to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030321 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important X-Debbugs-Cc: car...@debian.org,k...@debian.org, Hi With the introduction of the non-free-firmware section the security-tracker need to able to fetch package information as well for non-free-firmware packages (e.g. firmware-nonfree). Currently the overview e.g. for https://security-tracker.debian.org/tracker/source-package/firmware-nonfree is not broken. At least - Makefile: Fetch packages for main contrib non-free and non-free-firmware - bin/grab-cve-in-fix: Only adjust comment AFAICS - bin/lts-missing-uploads: need to support component non-free-firmware if the upper suite has support for it. Regards, Salvatore --- End Message --- --- Begin Message --- On Thu, Feb 02, 2023 at 09:54:38PM +0100, Salvatore Bonaccorso wrote: > Package: security-tracker > Severity: important > X-Debbugs-Cc: car...@debian.org,k...@debian.org, > > Hi > > With the introduction of the non-free-firmware section the > security-tracker need to able to fetch package information as well for > non-free-firmware packages (e.g. firmware-nonfree). > > Currently the overview e.g. for > https://security-tracker.debian.org/tracker/source-package/firmware-nonfree > is not broken. > > At least > > - Makefile: Fetch packages for main contrib non-free and > non-free-firmware > - bin/grab-cve-in-fix: Only adjust comment AFAICS > - bin/lts-missing-uploads: need to support component non-free-firmware > if the upper suite has support for it. Added support with https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e0a6e7dc9f2eda69e9aa2ebc020f4ecd4e3a2c . bin/lts-missing-uploads will still need to handle this in future. Regards, Salvatore--- End Message ---
Processed: Re: Container Image vulnerabilities
Processing commands for cont...@bugs.debian.org: > notfound 999357 buster Bug #999357 [security-tracker] Container Image vulnerabilities There is no source info for the package 'security-tracker' at version 'buster' with architecture '' Unable to make a source version for version 'buster' No longer marked as found in versions buster. > thanks Stopping processing here. Please contact me if you need assistance. -- 999357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999357 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1006987: marked as done (security-tracker: DSA-5096-1 vs. tracker)
Your message dated Thu, 10 Mar 2022 07:46:38 +0100 with message-id and subject line Re: Bug#1006987: security-tracker: DSA-5096-1 vs. tracker has caused the Debian Bug report #1006987, regarding security-tracker: DSA-5096-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1006987: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006987 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello. In [DSA-5096-1], several CVEs are said to be fixed for buster in linux/4.19.232-1 . However, one of them is [CVE-2021-4202], which seems to be missing from the corresponding [DSA tracker page] (maybe because that CVE is not included in the list at the beginning of the DSA?). [DSA-5096-1]: <https://lists.debian.org/debian-security-announce/2022/msg00063.html> [CVE-2021-4202]: <https://security-tracker.debian.org/tracker/CVE-2021-4202> [DSA tracker page]: <https://security-tracker.debian.org/tracker/DSA-5096-1> If this is unintended, please fix the tracker data. Otherwise, please clarify. Thanks for your time and patience! --- End Message --- --- Begin Message --- On Wed, Mar 09, 2022 at 11:30:31PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello. > > In [DSA-5096-1], several CVEs are said to be fixed for buster in > linux/4.19.232-1 . > However, one of them is [CVE-2021-4202], which seems to be missing from > the corresponding [DSA tracker page] (maybe because that CVE is not > included in the list at the beginning of the DSA?). > > [DSA-5096-1]: > <https://lists.debian.org/debian-security-announce/2022/msg00063.html> > [CVE-2021-4202]: <https://security-tracker.debian.org/tracker/CVE-2021-4202> > [DSA tracker page]: <https://security-tracker.debian.org/tracker/DSA-5096-1> > > If this is unintended, please fix the tracker data. > Otherwise, please clarify. > > Thanks for your time and patience! Thank you for reporting. It's fixed now. Regards, Salvatore--- End Message ---
Bug#1001453: marked as done (security-tracker: extend support for bug reporting to update the CVE list with the bug number)
Your message dated Thu, 3 Feb 2022 11:07:06 + with message-id <20220203110706.1404efb1@felix.codehelp> and subject line Merged has caused the Debian Bug report #1001453, regarding security-tracker: extend support for bug reporting to update the CVE list with the bug number to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist X-Debbugs-Cc: codeh...@debian.org Adding this as a wishlist bug, arising from existing ideas and discussions with the security team. 'bin/report-vuln' is useful to standardise reports to the BTS but there is then a manual step of updating data/CVE/list with the bug number. A tool to automate a syntactically correct change to a specific CVE would be a useful extension of this support, not just to add the bug number once the email is received from the BTS but to also make other standard changes: - mark CVE as fixed in unstable in version - mark a given released suite (stable/oldstable/LTS) as for a specific CVE ID - add a bug number to an existing CVE entry - add a NOTE: entry to an existing CVE Implement with a view that the requests could be integrated into tracker.d.o so that a merge request can be generated against the security tracker or a syntactically valid snippet can be generated that can be merged into the tracker after review. The parsing support would be similar to existing scripts and tools and to the support proposed for #1001451 - this tool is focused on changes to a specific CVE. --- End Message --- --- Begin Message --- https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38fc7543c6e8fc4a2d15540fd63b837218361e8f Incremental work will continue from here for feature requests and to run tests on the bin/ and lib/ scripts (on branches or possibly on schedules). -- Neil Williams = https://linux.codehelp.co.uk/ pgpzYaokqAw59.pgp Description: OpenPGP digital signature --- End Message ---
Bug#1001451: marked as done (security-tracker: create tool to ease processing of new uploads that fix CVEs)
Your message dated Thu, 3 Feb 2022 11:07:06 + with message-id <20220203110706.1404efb1@felix.codehelp> and subject line Merged has caused the Debian Bug report #1001451, regarding security-tracker: create tool to ease processing of new uploads that fix CVEs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001451 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist X-Debbugs-Cc: codeh...@debian.org This is one of a few bugs arising from discussions with Salvatore & Moritz whilst triaging CVEs. When an upload is made to unstable or experimental, triage of debian-devel-changes will list any CVEs fixed. It would be useful to have a simple tool (bin/grab-cve-in-fix ) which: - queries the latest version of source: in unstable - extracts all mentioned CVE IDs from the change - creates a correctly formatted CVE snippet with the recorded fixes that can be reviewed and merged into the main data/CVE/list All changes would need manual review. The email from debian-devel-changes could provide enough information. Alternatively, tracker.d.o or apt-cache could be used (e.g. relying on the `make update-packages` support already available in the security tracker code). 1: Provide an option to parse the email from debian-devel-changes 2: Provide an option to lookup the information using tracker.d.o 3: Fallback to lookup the information in the local apt-cache data populated by 'make update-packages' Output a file which can be used with bin/merge-cve-files once the changes have been reviewed. Additionally, implement support for a similar process to update all CVEs whenever a package moves out of NEW and into the archive. --- End Message --- --- Begin Message --- https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38fc7543c6e8fc4a2d15540fd63b837218361e8f Incremental work will continue from here for feature requests and to run tests on the bin/ and lib/ scripts (on branches or possibly on schedules). -- Neil Williams = https://linux.codehelp.co.uk/ pgpwRKwtZLj21.pgp Description: OpenPGP digital signature --- End Message ---
Bug#1002516: marked as done (security-tracker: DSA-5000-2 vs. tracker)
Your message dated Thu, 23 Dec 2021 17:14:10 +0100 with message-id <20211223161410.ga28...@inutil.org> and subject line Re: security-tracker: DSA-5000-2 vs. tracker has caused the Debian Bug report #1002516, regarding security-tracker: DSA-5000-2 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002516 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! In [DSA-5000-2], a number of CVEs are declared fixed for buster in openjdk-11/11.0.13+8-1~deb10u1 . However, the [DSA tracker page] incorrectly says that this version fixes the CVEs for stretch. If you agree that this is a typo, please fix the tracker data. Thanks for your time and dedication! [DSA-5000-2]: <https://lists.debian.org/debian-security-announce/2021/msg00216.html> [DSA tracker page]: <https://security-tracker.debian.org/tracker/DSA-5000-2> --- End Message --- --- Begin Message --- On Thu, Dec 23, 2021 at 05:06:14PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello! > > In [DSA-5000-2], a number of CVEs are declared fixed for buster > in openjdk-11/11.0.13+8-1~deb10u1 . > However, the [DSA tracker page] incorrectly says that this version > fixes the CVEs for stretch. Thanks, fixed.--- End Message ---
Processed: Re: Track renames of source packages
Processing commands for cont...@bugs.debian.org: > forwarded 738172 > https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/88 Bug #738172 [security-tracker] Track renames of source packages Set Bug forwarded-to-address to 'https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/88'. > thanks Stopping processing here. Please contact me if you need assistance. -- 738172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738172 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 994897
Processing commands for cont...@bugs.debian.org: > tags 994897 + confirmed Bug #994897 [security-tracker] security-tracker: turning text URL to link includes extraneous character Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 994897: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994897 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: closing 993488
Processing commands for cont...@bugs.debian.org: > reassign 993488 general Bug #993488 [security-tracker] security-tracker: Revoked group permission on a user continue to take effect on all existing processes and sessions Bug reassigned from package 'security-tracker' to 'general'. Ignoring request to alter found versions of bug #993488 to the same values previously set Ignoring request to alter fixed versions of bug #993488 to the same values previously set > tags 993488 + wontfix Bug #993488 [general] security-tracker: Revoked group permission on a user continue to take effect on all existing processes and sessions Added tag(s) wontfix. > close 993488 Bug #993488 [general] security-tracker: Revoked group permission on a user continue to take effect on all existing processes and sessions Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 993488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#850076: marked as done (security-tracker: List CVEs in ascending/descending order consistently)
Your message dated Sat, 14 Aug 2021 22:05:29 +0200 with message-id and subject line Re: Bug#850076: security-tracker: List CVEs in ascending/descending order consistently has caused the Debian Bug report #850076, regarding security-tracker: List CVEs in ascending/descending order consistently to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850076: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist Hi (Opening this bug so we do not forget) Since the CVE id format change allowing longer CVE id as of the form CVE-- with only four digits, the security-tracker does not display anymore necessarly CVE lists in asceding/descending order since it sorts the CVE in "ASCIIbetical" order. It would be nice to see proper sorted CVE id in increasing/decreasing order. Regards, Salvatore --- End Message --- --- Begin Message --- Hi, On Tue, Jan 03, 2017 at 09:13:13PM +0100, Salvatore Bonaccorso wrote: > Package: security-tracker > Severity: wishlist > > Hi > > (Opening this bug so we do not forget) > > Since the CVE id format change allowing longer CVE id as of the form > CVE-- with only four digits, the security-tracker does not > display anymore necessarly CVE lists in asceding/descending order > since it sorts the CVE in "ASCIIbetical" order. > > It would be nice to see proper sorted CVE id in increasing/decreasing > order. This was adressed a while back, and should be now be consistent. Related: https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/81 Regards, Salvatore--- End Message ---
Bug#992159: marked as done (security-tracker: DSA-4957-1 vs. tracker)
Your message dated Sat, 14 Aug 2021 14:17:51 +0200 with message-id and subject line Re: Bug#992159: security-tracker: DSA-4957-1 vs. tracker has caused the Debian Bug report #992159, regarding security-tracker: DSA-4957-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi everyone! In [DSA-4957-1], a number of CVEs are listed as fixed in trafficserver for buster: CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474 CVE-2021-32565 . However, the last one [CVE-2021-32565] is not present in the corresponding [DSA tracker page], probably due to a typo in the [changelog entry]. [DSA-4957-1]: <https://lists.debian.org/debian-security-announce/2021/msg00141.html> [CVE-2021-32565]: <https://security-tracker.debian.org/tracker/CVE-2021-32565> [DSA tracker page]: <https://security-tracker.debian.org/tracker/DSA-4957-1> [changelog entry]: <https://tracker.debian.org/news/1245719/accepted-trafficserver-802ds-1deb10u5-source-into-stable-embargoed-stable/> If this is the case, please update the tracker data. Thanks for your time! --- End Message --- --- Begin Message --- Hi, On Sat, Aug 14, 2021 at 12:09:51PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi everyone! > > In [DSA-4957-1], a number of CVEs are listed as fixed in trafficserver > for buster: CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474 > CVE-2021-32565 . > > However, the last one [CVE-2021-32565] is not present in the > corresponding [DSA tracker page], probably due to a typo in > the [changelog entry]. > > [DSA-4957-1]: > <https://lists.debian.org/debian-security-announce/2021/msg00141.html> > [CVE-2021-32565]: <https://security-tracker.debian.org/tracker/CVE-2021-32565> > [DSA tracker page]: <https://security-tracker.debian.org/tracker/DSA-4957-1> > [changelog entry]: > <https://tracker.debian.org/news/1245719/accepted-trafficserver-802ds-1deb10u5-source-into-stable-embargoed-stable/> > > If this is the case, please update the tracker data. > Thanks for your time! Thanks, fixed. Regards, Salvatore--- End Message ---
Bug#988823: marked as done (security-tracker: DSA-4917-1 vs. tracker)
Your message dated Thu, 20 May 2021 08:41:16 +0200 with message-id <20210520064116.ga25...@lorien.valinor.li> and subject line Re: Bug#988823: security-tracker: DSA-4917-1 vs. tracker has caused the Debian Bug report #988823, regarding security-tracker: DSA-4917-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988823: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988823 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everyone! According to [DSA-4917-1], a number of CVEs are fixed in chromium for buster: CVE-2021-30506 ÷ CVE-2021-30520. The tracker [DSA page] agrees on that, but also refers to [CVE-2021-3051], which is not mentioned in the DSA. [DSA-4917-1]: <https://lists.debian.org/debian-security-announce/2021/msg00098.html> [DSA page]: <https://security-tracker.debian.org/tracker/DSA-4917-1> [CVE-2021-3051]: <https://security-tracker.debian.org/tracker/CVE-2021-3051> Is the DSA incomplete or does the tracker page need a correction? Please let me know, and update the tracker data, if needed. Thanks for your time! --- End Message --- --- Begin Message --- Hi, On Wed, May 19, 2021 at 11:45:00PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everyone! > > According to [DSA-4917-1], a number of CVEs are fixed in chromium > for buster: CVE-2021-30506 ÷ CVE-2021-30520. > > The tracker [DSA page] agrees on that, but also refers to > [CVE-2021-3051], which is not mentioned in the DSA. > > [DSA-4917-1]: > <https://lists.debian.org/debian-security-announce/2021/msg00098.html> > [DSA page]: <https://security-tracker.debian.org/tracker/DSA-4917-1> > [CVE-2021-3051]: <https://security-tracker.debian.org/tracker/CVE-2021-3051> > > Is the DSA incomplete or does the tracker page need a correction? > > Please let me know, and update the tracker data, if needed. > Thanks for your time! There was erroneusly CVE-2021-3051 in the CVE list, which I think might have been caused by a typo (the list initially as well missed CVE-2021-30517, which was added later). The tracker data itself should now be correct again (but will take up to an hour at least for showing it fully correct). Regards, Salvatore--- End Message ---
Bug#949260: marked as done (security-tracker: add cvedetails.com to Source?)
Your message dated Fri, 30 Apr 2021 09:40:22 +0200 with message-id <20210430074022.a3d33yi367m7a...@inutil.org> and subject line Re: Bug#949260: security-tracker: add cvedetails.com to Source? has caused the Debian Bug report #949260, regarding security-tracker: add cvedetails.com to Source? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949260 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist It might be nice to add "cvedetails.com" to CVE Source links. Here is a sample: https://www.cvedetails.com/cve/CVE-2019-13072/ Thanks. -- Cheers, Dmitry Smirnov --- Those who are repeatedly passive in the face of injustice soon find their character corroded. -- Julian Assange signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- On Fri, Apr 30, 2021 at 01:47:34AM +0200, Roland wrote: > On Sat, 18 Jan 2020 12:52:38 +1100 Dmitry Smirnov > wrote: > > Package: security-tracker > > Severity: wishlist > > > > It might be nice to add "cvedetails.com" to CVE Source links. > > cvedetails does not seem to be a reliable/trusted and current source for > cve security information anymore, so using this tool may provide > incomple information (depending on search) Agreed, closing the bug. Cheers, Moritz--- End Message ---
Bug#931533: marked as done (security-tracker: Fetch Sources.xz/Packages.xz indices when available instead of Sources.gz/Packages.gz)
Your message dated Wed, 30 Sep 2020 21:37:31 +0200 with message-id <5123b8ca-c865-01e5-47cd-f369f85a7...@debian.org> and subject line Re: security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz has caused the Debian Bug report #931533, regarding security-tracker: Fetch Sources.xz/Packages.xz indices when available instead of Sources.gz/Packages.gz to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931533 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important Control: affects -1 + ftp.debian.org Starting with the buster release for the *-security and *-backports suites there are no Sources.gz and Packages.gz available in http://security.debian.org/debian-security/dists/buster/updates/main/source/ http://security.debian.org/debian-security/dists/bullseye-security/main/source/ But security-tracker is hardcoding fetching the respective gz files in lib/python/debian_support.py via: 288 def downloadGunzipLines(remote): 289 """Downloads a file from a remote location and gunzips it. 290 291 Returns the lines in the file.""" 292 293 data = urllib2.urlopen(remote, timeout=TIMEOUT) 294 try: 295 gfile = gzip.GzipFile(fileobj=StringIO(data.read())) 296 try: 297 return gfile.readlines() 298 finally: 299 gfile.close() 300 finally: 301 data.close() 302 303 def downloadFile(remote, local): 304 """Copies a gzipped remote file to the local system. 305 306 remote - URL, without the .gz suffix 307 local - name of the local file 308 """ 309 310 lines = downloadGunzipLines(remote + '.gz') 311 replaceFile(lines, local) 312 return lines This should be more flexible, depending on what is available (possibly doing similar as apt-file). For now ftp-master kindly re-enabled generation of *.gz files as well for the security archive for buster and bullseye-security (not for *-backports, which has been disabled temporarily via https://salsa.debian.org/security-tracker-team/security-tracker/commit/02cd33cd782c84e3e06631bb609e1b480da8bcd1). Regards, Salvatore --- End Message --- --- Begin Message --- Hi, On Sun, 07 Jul 2019 11:05:06 +0200 Salvatore Bonaccorso wrote: Package: security-tracker Severity: important Control: affects -1 + ftp.debian.org Starting with the buster release for the *-security and *-backports suites there are no Sources.gz and Packages.gz available in http://security.debian.org/debian-security/dists/buster/updates/main/source/ http://security.debian.org/debian-security/dists/bullseye-security/main/source/ But security-tracker is hardcoding fetching the respective gz files in lib/python/debian_support.py via: 288 def downloadGunzipLines(remote): 289 """Downloads a file from a remote location and gunzips it. 290 291 Returns the lines in the file.""" 292 293 data = urllib2.urlopen(remote, timeout=TIMEOUT) 294 try: 295 gfile = gzip.GzipFile(fileobj=StringIO(data.read())) 296 try: 297 return gfile.readlines() 298 finally: 299 gfile.close() 300 finally: 301 data.close() 302 303 def downloadFile(remote, local): 304 """Copies a gzipped remote file to the local system. 305 306 remote - URL, without the .gz suffix 307 local - name of the local file 308 """ 309 310 lines = downloadGunzipLines(remote + '.gz') 311 replaceFile(lines, local) 312 return lines This should be more flexible, depending on what is available (possibly doing similar as apt-file). Fixed in https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e1e759b3038544b1e71ce6ed8707a61406ecb8 For now ftp-master kindly re-enabled generation of *.gz files as well for the security archive for buster and bullseye-security (not for *-backports, which has been disabled temporarily via https://salsa.debian.org/security-tracker-team/security-tracker/commit/02cd33cd782c84e3e06631bb609e1b480da8bcd1). Now that we support .xz files, I reverted that in https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88ca724c224790bbf96016aff16c11d4f025db5a Cheers, Emilio--- End Message ---
Bug#959231: marked as done (security-tracker: Proxy Error on CVE-2020-11565 tracker page)
Your message dated Fri, 1 May 2020 16:46:21 +0200 with message-id <20200501144621.GA19818@eldamar.local> and subject line Re: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page has caused the Debian Bug report #929228, regarding security-tracker: Proxy Error on CVE-2020-11565 tracker page to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi all! I noticed that the tracker page for [CVE-2020-11565] fails to display and returns the following error: | Proxy Error | | The proxy server received an invalid response from an upstream server. | The proxy server could not handle the request | | Reason: Error reading from remote server | | Apache Server at security-tracker.debian.org Port 443 [CVE-2020-11565]: <https://security-tracker.debian.org/tracker/CVE-2020-11565> Please note that the CVE is mentioned in [DSA-4667-1]. [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html> What's wrong with that tracker page? Please fix anything that's missing. Thanks for your time and dedication! --- End Message --- --- Begin Message --- Hi Florian, On Fri, May 01, 2020 at 04:01:39PM +0200, Florian Weimer wrote: > * Salvatore Bonaccorso: > > > Hi Florian, > > > > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote: > >> * Salvatore Bonaccorso: > >> > >> > Hi Florian, > >> > > >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: > >> >> * Florian Weimer: > >> >> > >> >> > * Francesco Poli: > >> >> > > >> >> >> Please note that the CVE is mentioned in [DSA-4667-1]. > >> >> >> > >> >> >> [DSA-4667-1]: > >> >> >> <https://lists.debian.org/debian-security-announce/2020/msg00071.html> > >> >> >> > >> >> >> What's wrong with that tracker page? > >> >> > > >> >> > It's something in the NVD data that breaks the HTML escaping. > >> >> > >> >> This patch adds basic Unicode support to the web framework. I'm not > >> >> sure if it is the right direction to move in, but it fixes the issue. > >> >> > >> >> An alternative fix would be to change the NVD importer not to put > >> >> Unicode strings into the database, by encoding them as byte strings > >> >> first. > >> > > >> > Do you want to deploy that or rather investigate an alternative? > >> > >> I'd appreciate if you could spot-check the changes (e.g., do we still > >> do HTML escaping properly?) and deploy it. It looks like I have > >> forgotten how to do it. > > > > Looks good to me, and yes can deploy it if you want me to. Please have > > a look at at attache git format-patch'ed version if you agree with the > > slight rewrite, since I do not want to commit something in your name > > you would not agree with). > > Still looks fine. > > Signed-off-by: Florian Weimer Thanks, applied and deployed. Regards, Salvatore--- End Message ---
Bug#929228: marked as done (security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page)
Your message dated Fri, 1 May 2020 16:46:21 +0200 with message-id <20200501144621.GA19818@eldamar.local> and subject line Re: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page has caused the Debian Bug report #929228, regarding security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Found this while checking for other issues, but not time to further properly investigate, but did now want to loose that initial tracking. When a CVE description from MITRE contains non-ascii/non-valid characters like https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2019-0976 > A tampering vulnerability exists in the NuGet Package Manager for Linux and > Mac > that could allow an authenticated attacker to modify contents of the > intermediate build folder (by default “objâ€Â), > aka 'NuGet Package Manager Tampering Vulnerability'. this causes issue accessing the respective CVE page once the description has been merged: https://security-tracker.debian.org/tracker/CVE-2019-0976 Traceback (most recent call last): File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread self.finish_request(request, client_address) File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ self.handle() File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle self.handle_one_request() File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "../lib/python/web_support.py", line 805, in do_GET result = r.flatten_later() File "../lib/python/web_support.py", line 662, in flatten_later self.contents.flatten(buf.write) File "../lib/python/web_support.py", line 334, in flatten x.flatten(write) File "../lib/python/web_support.py", line 334, in flatten x.flatten(write) File "../lib/python/web_support.py", line 286, in flatten x.flatten(write) File "../lib/python/web_support.py", line 334, in flatten x.flatten(write) File "../lib/python/web_support.py", line 334, in flatten x.flatten(write) File "../lib/python/web_support.py", line 332, in flatten write(escapeHTML(x)) File "../lib/python/web_support.py", line 242, in escapeHTML append(charToHTML[ord(ch)]) IndexError: list index out of range Regards, Salvatore --- End Message --- --- Begin Message --- Hi Florian, On Fri, May 01, 2020 at 04:01:39PM +0200, Florian Weimer wrote: > * Salvatore Bonaccorso: > > > Hi Florian, > > > > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote: > >> * Salvatore Bonaccorso: > >> > >> > Hi Florian, > >> > > >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: > >> >> * Florian Weimer: > >> >> > >> >> > * Francesco Poli: > >> >> > > >> >> >> Please note that the CVE is mentioned in [DSA-4667-1]. > >> >> >> > >> >> >> [DSA-4667-1]: > >> >> >> <https://lists.debian.org/debian-security-announce/2020/msg00071.html> > >> >> >> > >> >> >> What's wrong with that tracker page? > >> >> > > >> >> > It's something in the NVD data that breaks the HTML escaping. > >> >> > >> >> This patch adds basic Unicode support to the web framework. I'm not > >> >> sure if it is the right direction to move in, but it fixes the issue. > >> >> > >> >> An alternative fix would be to change the NVD importer not to put > >> >> Unicode strings into the database, by encoding them as byte strings > >> >> first. > >> > > >> > Do you want to deploy that or rather investigate an alternative? > >> > >> I'd appreciate if you could spot-check the changes (e.g., do we still > >> do HTML escaping properly?) and deploy it. It looks like I have > >> forgotten how to do it. > > > > Looks good to me, and yes can deploy it if you want me to. Please have > > a look at at attache git format-patch'ed version if you agree with the > > slight rewrite, since I do not want to commit something in your name > > you would not agree with). > > Still looks fine. > > Signed-off-by: Florian Weimer Thanks, applied and deployed. Regards, Salvatore--- End Message ---
Processed: Re: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Processing control commands: > forcemerge 929228 959231 Bug #929228 [security-tracker] security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page Bug #959231 [security-tracker] security-tracker: Proxy Error on CVE-2020-11565 tracker page Merged 929228 959231 -- 929228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929228 959231: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959231 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#949260: security-tracker: add cvedetails.com to Source?
Processing control commands: > tags -1 + moreinfo Bug #949260 [security-tracker] security-tracker: add cvedetails.com to Source? Added tag(s) moreinfo. -- 949260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949260 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#947686: marked as done (security-tracker: DSA-4595-1 vs. tracker)
Your message dated Sun, 29 Dec 2019 11:32:24 +0100 with message-id <20191229103224.GA895172@pisco.westfalen.local> and subject line Re: Bug#947686: security-tracker: DSA-4595-1 vs. tracker has caused the Debian Bug report #947686, regarding security-tracker: DSA-4595-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947686 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everyone! According to [DSA-4595-1], CVE-2019-3467 is fixed in debian-lan-config for stretch and buster. However, the tracker [CVE page] does not seem to be linked to the [DSA page], thus failing to show the correct fixed versions for debian-lan-config. Please update the tracker data, as appropriate. Thanks for your time! [DSA-4595-1]: <https://lists.debian.org/debian-security-announce/2019/msg00249.html> [CVE page]: <https://security-tracker.debian.org/tracker/CVE-2019-3467> [DSA page]: <https://security-tracker.debian.org/tracker/DSA-4595-1> --- End Message --- --- Begin Message --- On Sun, Dec 29, 2019 at 11:24:08AM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everyone! > > According to [DSA-4595-1], CVE-2019-3467 is fixed in debian-lan-config > for stretch and buster. > > However, the tracker [CVE page] does not seem to be linked to the > [DSA page], thus failing to show the correct fixed versions for > debian-lan-config. > > Please update the tracker data, as appropriate. Thanks for the report! I pushed a fix, should appear with the next cross-reference run. Cheers, Moritz--- End Message ---
Processed: retitle 931533 to security-tracker: Fetch Sources.xz/Packages.xz indices when available instead of Sources.gz/Packages.gz
Processing commands for cont...@bugs.debian.org: > retitle 931533 security-tracker: Fetch Sources.xz/Packages.xz indices when > available instead of Sources.gz/Packages.gz Bug #931533 [security-tracker] security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz Changed Bug title to 'security-tracker: Fetch Sources.xz/Packages.xz indices when available instead of Sources.gz/Packages.gz' from 'security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz'. > thanks Stopping processing here. Please contact me if you need assistance. -- 931533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931533 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 931533
Processing commands for cont...@bugs.debian.org: > tags 931533 + help Bug #931533 [security-tracker] security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz Added tag(s) help. > thanks Stopping processing here. Please contact me if you need assistance. -- 931533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931533 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz
Processing control commands: > affects -1 + ftp.debian.org Bug #931533 [security-tracker] security-tracker: Fetch Sources.xz/Packages.xz when available instead of Sources.gz/Packages.gz Added indication that 931533 affects ftp.debian.org -- 931533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931533 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: closing 761963
Processing commands for cont...@bugs.debian.org: > close 761963 Bug #761963 [security-tracker] security-tracker: consolidate vulnerable/fixed per release in overviews Bug #762288 [security-tracker] security-tracker: available versions table is unnecessary Marked Bug as done Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 761963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761963 762288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#660190: marked as done (security-tracker: add per-maintainer page (with half-baked patch))
Your message dated Thu, 6 Jun 2019 21:56:55 +0200
with message-id <20190606195655.GA12735@eldamar.local>
and subject line Re: Bug#507303: security-tracker: please provide a
per-maintainer report
has caused the Debian Bug report #507303,
regarding security-tracker: add per-maintainer page (with half-baked patch)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
507303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507303
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: security-tracker
Severity: wishlist
The attached patch implements a first pass at a per-maintainer page of
security issues. It involves some database schema changes to it will
require a full reimport of all the data.
My SQL knowledge isn't great, so there are some deficiencies:
I'm not sure if the adding another table is the right way to go, nor if
I used the right table name.
I'm not sure if the getBugsForMaintainer is correct, especially wrt
version numbers/releases/etc.
I am not sure how to implement a getDSAsForMaintainer function to add
DSAs related to the maintainer at the bottom of the page.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Index: lib/python/security_db.py
===
--- lib/python/security_db.py (revision 18462)
+++ lib/python/security_db.py (working copy)
@@ -38,6 +38,7 @@
import sys
import types
import zlib
+import email.utils
import debian_support
import dist_config
@@ -123,6 +124,9 @@
# Enable WAL. This means that updates will not block readers.
c.execute("PRAGMA journal_mode = WAL")
+# Enable foreign keys
+c.execute("PRAGMA foreign_keys=ON")
+
self.schema_version = 22
self._initFunctions()
@@ -198,15 +202,23 @@
cursor.execute(
"""CREATE TABLE source_packages
-(name TEXT NOT NULL,
+(id INTEGER,
+name TEXT NOT NULL,
release TEXT NOT NULL,
subrelease TEXT NOT NULL,
archive TEXT NOT NULL,
version TEXT NOT NULL,
version_id INTEGER NOT NULL DEFAULT 0,
-PRIMARY KEY (name, release, subrelease, archive))""")
+UNIQUE (name, release, subrelease, archive),
+PRIMARY KEY(id ASC))""")
cursor.execute(
+"""CREATE TABLE source_package_maintainers
+(source_package_id INTEGER NOT NULL,
+maintainer TEXT NOT NULL,
+FOREIGN KEY(source_package_id) REFERENCES source_packages(id) ON DELETE CASCADE)""")
+
+cursor.execute(
"""CREATE TABLE binary_packages
(name TEXT NOT NULL,
release TEXT NOT NULL,
@@ -348,14 +360,14 @@
AND sidp.release = 'sid' AND sidp.subrelease = ''
AND sidp.archive = sp.archive
AND sidst.bug_name = st.bug_name
-AND sidst.package = sidp.rowid) AS unstable_vulnerable,
+AND sidst.package = sidp.id) AS unstable_vulnerable,
COALESCE((SELECT NOT vulnerable
FROM source_packages AS tsecp, source_package_status AS tsecst
WHERE tsecp.name = sp.name
AND tsecp.release = 'wheezy' AND tsecp.subrelease = 'security'
AND tsecp.archive = sp.archive
AND tsecst.bug_name = st.bug_name
-AND tsecst.package = tsecp.rowid), 0) AS testing_security_fixed,
+AND tsecst.package = tsecp.id), 0) AS testing_security_fixed,
(SELECT range_remote FROM nvd_data
WHERE cve_name = st.bug_name) AS remote,
(EXISTS (SELECT * FROM package_notes_nodsa AS pnd
@@ -363,7 +375,7 @@
AND pnd.package = sp.name
AND pnd.release = 'wheezy')) AS no_dsa
FROM source_package_status AS st, source_packages AS sp
-WHERE st.vulnerable > 0 AND sp.rowid = st.package
+WHERE st.vulnerable > 0 AND sp.id = st.package
AND sp.release = 'wheezy' AND sp.subrelease = ''
ORDER BY sp.name, st.urgency, st.bug_name""")
@@ -380,7 +392,7 @@
AND pnd.package = sp.name
AND pnd.release = '%s')) AS no_dsa
FROM source_package_status AS st, source_packages AS sp
-WHERE st.vulnerable > 0 AND sp.rowid =
Bug#507303: marked as done (security-tracker: please provide a per-maintainer report)
Your message dated Thu, 6 Jun 2019 21:56:55 +0200 with message-id <20190606195655.GA12735@eldamar.local> and subject line Re: Bug#507303: security-tracker: please provide a per-maintainer report has caused the Debian Bug report #507303, regarding security-tracker: please provide a per-maintainer report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 507303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist It would be great to provide such report, as to have a link to it on the DDPO. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- Hi Raphael, On Sat, Nov 29, 2008 at 03:10:21PM -0600, Raphael Geissert wrote: > Package: security-tracker > Severity: wishlist > > It would be great to provide such report, as to have a link to it on > the DDPO. While looking at some open bugs for the security-tracker I encountered this one. I think the Debian maintainer dashboard might be a better option to include this overview (actually it does schon already open security issues in one maintainers view). Regards, Salvatore--- End Message ---
Processed: closing 919977
Processing commands for cont...@bugs.debian.org: > close 919977 Bug #919977 [security-tracker] security-tracker: https://security-tracker.debian.org/tracker/data/json returns stale data Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 919977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: buster-ignore some pseudo-package RC level bugs
Processing commands for cont...@bugs.debian.org: > tags 497471 buster-ignore bullseye-ignore Bug #497471 [cdimage.debian.org] sarge images have syslinux binaries without source Added tag(s) buster-ignore and bullseye-ignore. > tags 507706 buster-ignore bullseye-ignore Bug #507706 [cdimage.debian.org] Missing sources for d-i components/kernel of etch-n-half images Added tag(s) buster-ignore and bullseye-ignore. > tags 548024 buster-ignore bullseye-ignore Bug #548024 [www.debian.org] packages.debian.org: mirror doesn't close old databases Added tag(s) bullseye-ignore and buster-ignore. > tags 771971 jessie Bug #771971 [upgrade-reports] dpkg hangs installing "init" during upgrade from wheezy to jessie Added tag(s) jessie. > tags 775560 jessie Bug #775560 [upgrade-reports] upgrade-reports: Wheezy -> Jessie: machine becomes unbootable due to missing Grub Added tag(s) jessie. > tags 778695 jessie Bug #778695 [upgrade-reports] wheezy -> jessie: no gdm3 prompt, dependency loops and broken initrd Added tag(s) jessie. > tags 823236 buster-ignore bullseye-ignore Bug #823236 [sso.debian.org] login error Bug #823274 [sso.debian.org] login error Added tag(s) buster-ignore and bullseye-ignore. Added tag(s) buster-ignore and bullseye-ignore. > tags 864597 stretch Bug #864597 [upgrade-reports] upgrade-reports: jessie -> stretch: gnome fails to upgrade: cycle found while processing triggers Added tag(s) stretch. > tags 908678 buster-ignore bullseye-ignore Bug #908678 [security-tracker] security-tracker - Breaks salsa.d.o Added tag(s) bullseye-ignore and buster-ignore. > tags 915365 buster-ignore bullseye-ignore Bug #915365 [www.debian.org] historical.packages.debian.org: 404 for any page other than root Added tag(s) bullseye-ignore and buster-ignore. > tags 923510 buster-ignore bullseye-ignore Bug #923510 [bugs.debian.org] bugs.debian.org: 500 Internal Server Error when accessing bugs for 'linux' Added tag(s) bullseye-ignore and buster-ignore. > thanks Stopping processing here. Please contact me if you need assistance. -- 497471: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497471 507706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507706 548024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548024 771971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771971 775560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775560 778695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778695 823236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823236 823274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823274 864597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864597 908678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908678 915365: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915365 923510: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923510 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#922247: marked as done (security-tracker: please use new urlpath for DLAs on www.d.o)
Your message dated Tue, 19 Feb 2019 21:26:00 +0100 with message-id <20190219202600.GA17519@eldamar.local> and subject line Re: Bug#922247: security-tracker: please use new urlpath for DLAs on www.d.o has caused the Debian Bug report #922247, regarding security-tracker: please use new urlpath for DLAs on www.d.o to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 922247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922247 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: security-tracker x-debbugs-cc: debian-...@lists.debian.org Hi, this is a bug to track fixing this small glitch in the new www.debian.org/lts/security/ area: On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote: > >> * Adaptation in the security tracker so the new URL paths are used from > >> now on is also needed. > > right. shall we file a bug to not forget this? > Sure, please do. done. Salvatore also prepared a patch for this. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Hi HOlger, On Thu, Feb 14, 2019 at 07:08:23AM +0100, Salvatore Bonaccorso wrote: > Control: tags -1 + pending > > Hi Holger, > > On Wed, Feb 13, 2019 at 06:08:31PM +, Holger Levsen wrote: > > package: security-tracker > > x-debbugs-cc: debian-...@lists.debian.org > > > > Hi, > > > > this is a bug to track fixing this small glitch in the new > > www.debian.org/lts/security/ area: > > > > On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupr?? wrote: > > > >> * Adaptation in the security tracker so the new URL paths are used from > > > >> now on is also needed. > > > > right. shall we file a bug to not forget this? > > > Sure, please do. > > > > done. Salvatore also prepared a patch for this. > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/cfccb4bb04d4bc5129645fa48d17914d3fbf8936 > for reference. Bug can be closed once deployed. Done. Regards, Salvatore--- End Message ---
Processed: Re: Bug#922247: security-tracker: please use new urlpath for DLAs on www.d.o
Processing control commands: > tags -1 + pending Bug #922247 [security-tracker] security-tracker: please use new urlpath for DLAs on www.d.o Added tag(s) pending. -- 922247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922247 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: reopening 919977
Processing commands for cont...@bugs.debian.org:
> reopen 919977
Bug #919977 {Done: Julien Cristau } [security-tracker]
security-tracker: https://security-tracker.debian.org/tracker/data/json returns
stale data
Bug reopened
Ignoring request to alter fixed versions of bug #919977 to the same values
previously set
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
919977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919977
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#919977: marked as done (security-tracker: https://security-tracker.debian.org/tracker/data/json returns stale data)
Your message dated Mon, 21 Jan 2019 14:26:16 +0100 with message-id <20190121132616.ga8...@tomate.cristau.org> and subject line Re: Bug#919977: security-tracker: https://security-tracker.debian.org/tracker/data/json returns stale data has caused the Debian Bug report #919977, regarding security-tracker: https://security-tracker.debian.org/tracker/data/json returns stale data to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 919977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important Dear Maintainer, the JSON stream of the Debian Security Bug Tracker seems to report stale data since the beginning of January 2019: $ curl -I https://security-tracker.debian.org/tracker/data/json HTTP/2 200 date: Mon, 21 Jan 2019 08:10:06 GMT ... content-length: 19836218 last-modified: Wed, 02 Jan 2019 19:49:17 GMT expires: Wed, 02 Jan 2019 20:57:34 GMT This breaks our process to monitor the Debian Security updates by processing the DSAs in a machine-readable format. Philipp -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- On Mon, Jan 21, 2019 at 09:27:19AM +0100, Philipp Hahn wrote: > Package: security-tracker > Severity: important > > Dear Maintainer, > > the JSON stream of the Debian Security Bug Tracker seems to report stale > data since the beginning of January 2019: > > $ curl -I https://security-tracker.debian.org/tracker/data/json > HTTP/2 200 > date: Mon, 21 Jan 2019 08:10:06 GMT > ... > content-length: 19836218 > last-modified: Wed, 02 Jan 2019 19:49:17 GMT > expires: Wed, 02 Jan 2019 20:57:34 GMT > > This breaks our process to monitor the Debian Security updates by > processing the DSAs in a machine-readable format. > Looks like at least one CDN node was returning stale data. I purged /tracker/data/json and things are looking ok now. Thanks for the report. Cheers, Julien--- End Message ---
Processed: tagging 887822
Processing commands for cont...@bugs.debian.org: > tags 887822 + patch Bug #887822 [security-tracker] Accept more variants of standard CVE identifier format Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 887822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887822 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 908678
Processing commands for cont...@bugs.debian.org: > tags 908678 + confirmed Bug #908678 [security-tracker] security-tracker - Breaks salsa.d.o Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 908678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908678 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#907723: link package versions on security-tracker to source packages
Processing control commands:
> close -1
Bug #907723 [security-tracker] link package versions on security-tracker to
source packages
Marked Bug as done
> tags -1 wontfix
Bug #907723 {Done: Mike Gabriel }
[security-tracker] link package versions on security-tracker to source packages
Added tag(s) wontfix.
--
907723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907723
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#905304: marked as done (security-tracker: DSA-4259-1 vs. tracker)
Your message dated Thu, 2 Aug 2018 22:28:12 +0200 with message-id <20180802202812.GA12273@eldamar.local> and subject line Re: Bug#905304: security-tracker: DSA-4259-1 vs. tracker has caused the Debian Bug report #905304, regarding security-tracker: DSA-4259-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 905304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905304 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! According to [DSA-4259-1], ruby2.3/2.3.3-1+deb9u3 fixes a number of vulnerabilities, among which CVE-2017-17405, CVE-2017-17742, CVE-2017-17790, and CVE-2018-6914. However, the tracker pages for [CVE-2017-17405], [CVE-2017-17742], [CVE-2017-17790], and [CVE-2018-6914] seem to disagree. Is the tracker wrong? Please update the tracker data, then. Is the DSA wrong? Please clarify (I searched in the tracker commit history on Salsa, but I failed to find any explicit explanation about this discrepancy...). Thanks for your time! [DSA-4259-1]: <https://lists.debian.org/debian-security-announce/2018/msg00188.html> [CVE-2017-17405]: <https://security-tracker.debian.org/tracker/CVE-2017-17405> [CVE-2017-17742]: <https://security-tracker.debian.org/tracker/CVE-2017-17742> [CVE-2017-17790]: <https://security-tracker.debian.org/tracker/CVE-2017-17790> [CVE-2018-6914]: <https://security-tracker.debian.org/tracker/CVE-2018-6914> --- End Message --- --- Begin Message --- HI Francesco, On Thu, Aug 02, 2018 at 10:00:31PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello! > > According to [DSA-4259-1], ruby2.3/2.3.3-1+deb9u3 fixes a number of > vulnerabilities, among which CVE-2017-17405, CVE-2017-17742, > CVE-2017-17790, and CVE-2018-6914. > > However, the tracker pages for [CVE-2017-17405], [CVE-2017-17742], > [CVE-2017-17790], and [CVE-2018-6914] seem to disagree. > > Is the tracker wrong? > Please update the tracker data, then. The tracker was wrong due to the human-error in https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5e9c1099e5f5a29832b60c97f3d9d0f61a538cf , which needed to be added manually due to a unrelated problem while updating tracker and relasing the DSA. Thanks for spotting! All the information should be uptodate in at most an hour. Regards, Salvatore--- End Message ---
Bug#903816: marked as done (security-tracker: CVE-2017-17689 vs. tracker)
Your message dated Sun, 15 Jul 2018 13:38:52 +0200 with message-id <20180715113852.GA7817@eldamar.local> and subject line Re: Bug#903816: security-tracker: CVE-2017-17689 vs. tracker has caused the Debian Bug report #903816, regarding security-tracker: CVE-2017-17689 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 903816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everyone! According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes CVE-2017-17689 in stretch (security), among other vulnerabilities. However the tracker page for [CVE-2017-17689] seems to disagree, while, on the other hand, referencing bug [#898631], which is claimed to be fixed in oldstable, stable, testing, and unstable. But please note that bug [#898631] does not mention CVE-2017-17689 at all! Oh what a headache! Which is wrong and which is right? Could you please clarify and update the tracker data, if needed? Thanks for your time! [DSA-4244-1]: <https://lists.debian.org/debian-security-announce/2018/msg00173.html> [CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689> [#898631]: <https://bugs.debian.org/898631> --- End Message --- --- Begin Message --- On Sun, Jul 15, 2018 at 10:45:38AM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everyone! > > According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes > CVE-2017-17689 in stretch (security), among other vulnerabilities. > > However the tracker page for [CVE-2017-17689] seems to disagree, > while, on the other hand, referencing bug [#898631], which is claimed > to be fixed in oldstable, stable, testing, and unstable. > > But please note that bug [#898631] does not mention CVE-2017-17689 > at all! > > Oh what a headache! > Which is wrong and which is right? > > Could you please clarify and update the tracker data, if needed? > > Thanks for your time! > > [DSA-4244-1]: > <https://lists.debian.org/debian-security-announce/2018/msg00173.html> > [CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689> > [#898631]: <https://bugs.debian.org/898631> In short, the tracker is ocrrect. The initial DSA mail did contain the mention of the CVE-2017-17689, but it was wrongly listed. This is why it was reverted in https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b041892b1d953fabb4ef8636c02b427a2771663 and the website is as well correct (the mail obvioulsy cannot be fixed retrospecitively). Regards, Salvatore--- End Message ---
Processed: closing 901777
Processing commands for cont...@bugs.debian.org: > close 901777 Bug #901777 [security-tracker] security-tracker: When i open Facebook All my other pages Crash at Once. They All Shut down. Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 901777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901777 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#829172: marked as done (security-tracker: New 'postponed' tag for issues warranting a DSA but postponed while waiting for more serious issues)
Your message dated Fri, 11 Aug 2017 22:10:01 +0200 with message-id <20170811201001.owto44pe4rz6lp54@eldamar.local> and subject line Re: Bug#829172: security-tracker: New 'postponed' tag for issues warranting a DSA but postponed while waiting for more serious issues has caused the Debian Bug report #829172, regarding security-tracker: New 'postponed' tag for issues warranting a DSA but postponed while waiting for more serious issues to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 829172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829172 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist Hi It would be nice to have a new tag handled in similar way to 'no-dsa' called 'postponed'. In some cases a issue warrants a DSA, but can be postponed until more urgent issues appear for that given package. Currently those are mared in free text form usually like [jessie] - foo (Can be included in future DSA) but that is prone to be forgotten when preparing then the update for foo. It thus will be nice to be able to distinct cases which are really just and those which warrants a DSA, but can be postponed, and thus be marked e.g. [jessie] - foo It though need evaluation which parts of the tracker/cronjobs/scripts would be affected by such a change. Regards, Salvatore --- End Message --- --- Begin Message --- this has been implemented during Debconf17 by Sebastien Delafond. Closing the bug. Regards, Salvatore--- End Message ---
Bug#727742: marked as done (security-tracker: allow searching for "CVE 2013-4327" (with a space))
Your message dated Mon, 7 Aug 2017 18:19:57 +0200 with message-id <20170807161957.zxp5fd2jwdqsrin2@pisco.westfalen.local> and subject line Re: security-tracker: allow searching for "CVE 2013-4327" (with a space) has caused the Debian Bug report #727742, regarding security-tracker: allow searching for "CVE 2013-4327" (with a space) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 727742: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727742 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist In some places on the web and mailing lists, CVEs are referenced with a space instead of a dash (CVE 2013-4327 instead of CVE-2013-4327). It would be nice if I could copy and paste these into the search box and have the right CVE show up without having to adjust the space to a dash. -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- On Sat, Oct 26, 2013 at 11:02:24AM +0800, Paul Wise wrote: > Package: security-tracker > Severity: wishlist > > In some places on the web and mailing lists, CVEs are referenced with a > space instead of a dash (CVE 2013-4327 instead of CVE-2013-4327). It > would be nice if I could copy and paste these into the search box and > have the right CVE show up without having to adjust the space to a dash. These are not terribly common from my PoV, I'd rather match the exact format only. Cheers, Moritz--- End Message ---
Bug#681867: marked as done (security-tracker: link to prsc tracker)
Your message dated Mon, 7 Aug 2017 18:18:29 +0200 with message-id <20170807161829.jaewuv5bjxcbhcf5@pisco.westfalen.local> and subject line Closing has caused the Debian Bug report #681867, regarding security-tracker: link to prsc tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 681867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681867 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist Hi, Where bugs are marked no-dsa and there is a bug number, a link to the PRSC tracker from the public web pages would be nice. Links should be to http://prsc.debian.net/tracker/ Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 --- End Message --- --- Begin Message --- Tracker no longer exists, closing.--- End Message ---
Bug#761945: marked as done (security-tracker: link to DLA details from Source field)
Your message dated Wed, 29 Mar 2017 13:26:44 +0800 with message-id <1490765204.25136.1.ca...@debian.org> and subject line Re: security-tracker: link to DLA details from Source field has caused the Debian Bug report #761945, regarding security-tracker: link to DLA details from Source field to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 761945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761945 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist DLAs include a "Source" field that simply says "Debian LTS Team". It would be nice if, like DSAs, the "Source" field linked to a source of further information, like the mailing list archive or the Debian website or to the security tracker SVN/git repository. https://security-tracker.debian.org/tracker/DLA-55-1 https://security-tracker.debian.org/tracker/DSA-3020-1 -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- Version: r50156 On Wed, 17 Sep 2014 15:02:27 +0800 Paul Wise wrote: > DLAs include a "Source" field that simply says "Debian LTS Team". It > would be nice if, like DSAs, the "Source" field linked to a source of > further information, like the mailing list archive or the Debian website > or to the security tracker SVN/git repository. This has been fixed in SVN r50156: https://anonscm.debian.org/viewvc/secure-testing?view=revision&revision=50156 -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message ---
Bug#850728: marked as done (security-tracker: DSA-3756-1 vs. tracker)
Your message dated Mon, 9 Jan 2017 20:15:23 +0100 with message-id <20170109191523.ga9...@inutil.org> and subject line Re: Bug#850728: security-tracker: DSA-3756-1 vs. tracker has caused the Debian Bug report #850728, regarding security-tracker: DSA-3756-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850728 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everyone! DSA-3756-1 [1] claims to talk about CVE-2017-5208 [2], but the CVE official list seems to know nothing about it [3]. Actually, have *so many* vulnerabilities been already indexed in the just started year 2017 ?!? Is this a typo? Which is the correct CVE number? Please clarify and fix the tracker data, as appropriate. Thanks for your time! [1] https://lists.debian.org/debian-security-announce/2017/msg6.html [2] https://security-tracker.debian.org/tracker/CVE-2017-5208 [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208 --- End Message --- --- Begin Message --- On Mon, Jan 09, 2017 at 06:27:01PM +, Luedtke, Nicholas (HPE Linux Security) wrote: > It is indeed valid. It is not uncommon for the mitre list to take some time > to catch up. The CVE ids are blocked to various CNAs leading to the 5000s > being currently assigned. Indeeed, closing. Cheers, Moritz--- End Message ---
Processed: closing 805079
Processing commands for cont...@bugs.debian.org: > close 805079 Bug #805079 [security-tracker] security-tracker: External check for CVEs from Red Hat not working anymore Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 805079: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805079 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: unmerge 818251 818253
Processing commands for cont...@bugs.debian.org: > unmerge 818251 Bug #818251 [security-tracker] security-tracker: do not mention TEMP-*-* identifiers on security issue pages Ignoring request to unmerge a bug which is not merged with any others. > -- Stopping processing here. Please contact me if you need assistance. -- 818251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818251 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: unmerging 818253
Processing commands for cont...@bugs.debian.org: > unmerge 818253 Bug #818253 [security-tracker] security-tracker: do not mention TEMP-*-* identifiers on source package pages Bug #818251 [security-tracker] security-tracker: do not mention TEMP-*-* identifiers on security issue pages Disconnected #818253 from all other report(s). > thanks Stopping processing here. Please contact me if you need assistance. -- 818251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818251 818253: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818253 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: merging duplicate bugreports
Processing commands for cont...@bugs.debian.org: > merge 818251 818253 Bug #818251 [security-tracker] security-tracker: do not mention TEMP-*-* identifiers on security issue pages Bug #818253 [security-tracker] security-tracker: do not mention TEMP-*-* identifiers on source package pages Merged 818251 818253 > End of message, stopping processing here. Please contact me if you need assistance. -- 818251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818251 818253: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818253 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818118: marked as done (security-tracker: It's possible for any user to steal root console output)
Your message dated Tue, 15 Mar 2016 14:10:52 +0100 with message-id <20160315131052.ga18...@lorien.valinor.li> and subject line Re: Bug#818118: security-tracker: It's possible for any user to steal root console output has caused the Debian Bug report #818118, regarding security-tracker: It's possible for any user to steal root console output to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 818118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818118 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? 1. Open root console 2. apt-get any framebuffer grabbing utility (e.g. fbgrab) 3. switch to a graphical interface of any other user 4. run "fbgrab /path/whatever.png" 5. Now you've got a root console output, with possibly its secret information * What outcome did you expect instead? This may sound ridiculous but I don't want regular users to be able to watch over another user consoles. Especially root console. You know, anyone on the computer can just launch a script that will grab the root console output continiously revealing everything the root was doing. *** End of the template - remove these template lines *** This may be hardware-specific, so in this case - I'm using AMD graphics card with "radeon" driver. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Hi, On Mon, Mar 14, 2016 at 02:08:06AM +0500, nomatter wrote: > Package: security-tracker > Severity: normal > > Dear Maintainer, > > *** Reporter, please consider answering these questions, where appropriate *** > >* What led up to the situation? >* What exactly did you do (or not do) that was effective (or > ineffective)? >* What was the outcome of this action? > > 1. Open root console > 2. apt-get any framebuffer grabbing utility (e.g. fbgrab) > 3. switch to a graphical interface of any other user > 4. run "fbgrab /path/whatever.png" > 5. Now you've got a root console output, with possibly its secret information > >* What outcome did you expect instead? > > This may sound ridiculous but I don't want regular users to be able > to watch over another user consoles. Especially root console. You > know, anyone on the computer can just launch a script that will grab > the root console output continiously revealing everything the root > was doing. > > *** End of the template - remove these template lines *** > This may be hardware-specific, so in this case - I'm using AMD > graphics card with "radeon" driver. This is not a bug in the security-tracker. Regards, Salvatore--- End Message ---
Bug#813878: marked as done (security-tracker: DSA-3464-1 vs. tracker)
Your message dated Sat, 6 Feb 2016 11:16:05 +0100 with message-id <20160206101605.GA4171@eldamar.local> and subject line Re: Bug#813878: security-tracker: DSA-3464-1 vs. tracker has caused the Debian Bug report #813878, regarding security-tracker: DSA-3464-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 813878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813878 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi everyone! DSA-3464-1 [1] states that several vulnerabilities are fixed in rails/2:4.2.5.1-1 for sid, but the tracker claims that two of them [2][3] are still unfixed in sid. Is the DSA wrong or should the tracker data be updated? Please clarify, thanks for your time! [1] https://lists.debian.org/debian-security-announce/2016/msg00034.html [2] https://security-tracker.debian.org/tracker/CVE-2015-3226 [3] https://security-tracker.debian.org/tracker/CVE-2015-3227 --- End Message --- --- Begin Message --- Hi Francesco, On Sat, Feb 06, 2016 at 10:30:42AM +0100, Francesco Poli (wintermute) wrote: > Hi everyone! > > DSA-3464-1 [1] states that several vulnerabilities are fixed in > rails/2:4.2.5.1-1 for sid, but the tracker claims that two of > them [2][3] are still unfixed in sid. > > Is the DSA wrong or should the tracker data be updated? > Please clarify, thanks for your time! Thanks fixed the tracker information (both were fixed in 4.2.2 upstream). Regards, Salvatore--- End Message ---
Processed: bug 805079 has no owner
Processing commands for cont...@bugs.debian.org: > # for the moment give-back > noowner 805079 Bug #805079 [security-tracker] security-tracker: External check for CVEs from Red Hat not working anymore Removed annotation that Bug was owned by car...@debian.org. > thanks Stopping processing here. Please contact me if you need assistance. -- 805079: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805079 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#803591: marked as done (security-tracker: DSA-3381-1 vs. tracker)
Your message dated Sun, 1 Nov 2015 05:53:26 +0100 with message-id <20151101045326.GA24620@eldamar.local> and subject line Re: Bug#803591: security-tracker: DSA-3381-1 vs. tracker has caused the Debian Bug report #803591, regarding security-tracker: DSA-3381-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 803591: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everybody! DSA-3381-1 [1] states that several vulnerabilities are fixed in openjdk-7/7u85-2.6.1-5 for sid, but the tracker [2] claims that many of those vulnerabilities are only fixed in openjdk-7/7u85-2.6.1-6 . Is that a typo in the DSA or should the tracker data be updated? Moreover the tracker claims [3] that one of the vulnerabilities (CVE-2015-4871) is unfixed in sid. Again: is the DSA wrong or should the tracker data be updated? Please clarify, thanks for your time! [1] https://lists.debian.org/debian-security-announce/2015/msg00280.html [2] see links for CVE ids in https://security-tracker.debian.org/tracker/DSA-3381-1 [3] https://security-tracker.debian.org/tracker/CVE-2015-4871 --- End Message --- --- Begin Message --- On Sat, Oct 31, 2015 at 04:52:01PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everybody! > > DSA-3381-1 [1] states that several vulnerabilities are fixed in > openjdk-7/7u85-2.6.1-5 for sid, but the tracker [2] claims that many > of those vulnerabilities are only fixed in openjdk-7/7u85-2.6.1-6 . > Is that a typo in the DSA or should the tracker data be updated? I have updated the wepage to reflect the correct version for sid now as well (cf. https://www.debian.org/security/2015/dsa-3381) There will be a regression update for jessie-security soon. So closing this bugreport now. Thanks for your time doublechecking the entries! Regards, Salvatore--- End Message ---
Processed: tagging 803591
Processing commands for cont...@bugs.debian.org: > tags 803591 + confirmed Bug #803591 [security-tracker] security-tracker: DSA-3381-1 vs. tracker Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 803591: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#792050: marked as done (security-tracker: DSA-330[67]-1 vs. tracker)
Your message dated Fri, 10 Jul 2015 23:44:24 +0200 with message-id <20150710214424.GA22874@kronk.local> and subject line Re: Bug#792050: security-tracker: DSA-330[67]-1 vs. tracker has caused the Debian Bug report #792050, regarding security-tracker: DSA-330[67]-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 792050: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792050 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi everybody! The tracker pages [1][2] for DSA-3306-1 [3] and DSA-3307-1 [4] do not seem to be linked with CVE-2015-1868 [5], which, according to the tracker, seems to be fixed everywhere, while the DSAs [3][4] seem to disagree. Please fix the tracker data. Thanks for your time! [1] https://security-tracker.debian.org/tracker/DSA-3306-1 [2] https://security-tracker.debian.org/tracker/DSA-3307-1 [3] https://lists.debian.org/debian-security-announce/2015/msg00202.html [4] https://lists.debian.org/debian-security-announce/2015/msg00203.html [5] https://security-tracker.debian.org/tracker/CVE-2015-1868 --- End Message --- --- Begin Message --- On Fri, Jul 10, 2015 at 07:15:44PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi everybody! > > The tracker pages [1][2] for DSA-3306-1 [3] and DSA-3307-1 [4] > do not seem to be linked with CVE-2015-1868 [5], which, > according to the tracker, seems to be fixed everywhere, > while the DSAs [3][4] seem to disagree. Technically DSA-3306-1 and DSA-3307-1 were about CVE-2015-5470 (incomplete fix for CVE-2015-1868) but when the DSAs were released that CVE did not exist yet (it was assigned like 5 minutes ago) so I used CVE-2015-1868 for reference instead. Since we now have CVE-2015-5470 [0], I updated all the references accordingly. Cheers [0] https://security-tracker.debian.org/tracker/CVE-2015-5470 signature.asc Description: Digital signature --- End Message ---
Bug#789490: marked as done (security-tracker: DSA-3290-1 vs. tracker)
Your message dated Sun, 21 Jun 2015 21:15:23 +0200 with message-id <20150621191523.GA5172@eldamar.local> and subject line Re: Bug#789490: security-tracker: DSA-3290-1 vs. tracker has caused the Debian Bug report #789490, regarding security-tracker: DSA-3290-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 789490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789490 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! DSA-3290-1 [1] states that CVE-2015-3636 is fixed in linux/3.16.7-ckt11-1, but the tracker shows somewhat self-inconsistent information about this vulnerability [2], claiming that linux/3.16.7-ckt11-1 is fixed in jessie, but vulnerable in stretch, despite being apparently the same exact version. Please clarify and/or fix the tracker data. Thanks for your time! [1] https://lists.debian.org/debian-security-announce/2015/msg00186.html [2] https://security-tracker.debian.org/tracker/CVE-2015-3636 --- End Message --- --- Begin Message --- Hi Francesco, On Sun, Jun 21, 2015 at 03:46:19PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello! > > DSA-3290-1 [1] states that CVE-2015-3636 is fixed in > linux/3.16.7-ckt11-1, but the tracker shows somewhat > self-inconsistent information about this vulnerability [2], > claiming that linux/3.16.7-ckt11-1 is fixed in jessie, > but vulnerable in stretch, despite being apparently the > same exact version. > > Please clarify and/or fix the tracker data. Have added a workaround entry in the security-tracker, explicitly marking the stretch version as well fixed with 3.16.7-ckt11-1. Regards, Salvatore--- End Message ---
Bug#788685: marked as done (security-tracker: DSA-3288-1 vs. tracker)
Your message dated Sun, 14 Jun 2015 15:16:18 +0200 with message-id and subject line Re: Bug#788685: security-tracker: DSA-3288-1 vs. tracker has caused the Debian Bug report #788685, regarding security-tracker: DSA-3288-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 788685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! There seems to be no tracker page [1] for DSA-3288-1 [2], yet. Please update the tracker data. Thanks for your time! [1] https://security-tracker.debian.org/tracker/DSA-3288-1 [2] https://lists.debian.org/debian-security-announce/2015/msg00183.html --- End Message --- --- Begin Message --- On Sun, June 14, 2015 11:03, Francesco Poli \(wintermute\) wrote: > There seems to be no tracker page [1] for DSA-3288-1 [2], yet. > Please update the tracker data. Fixed, thanks! Thijs--- End Message ---
Bug#783800: marked as done (security-tracker: squeeze-lts/non-free not handled correctly)
Your message dated Wed, 10 Jun 2015 17:27:33 +0200
with message-id <201506101727.45057.hol...@layer-acht.org>
and subject line Re: Bug#783800: security-tracker: squeeze-lts/non-free not
handled correctly
has caused the Debian Bug report #783800,
regarding security-tracker: squeeze-lts/non-free not handled correctly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
783800: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783800
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: security-tracker
Severity: important
It looks like that squeeze-lts/non-free is not handled correctly. Have a look at
jruby:
$ rmadison jruby
jruby | 1.5.1-1| oldoldstable/non-free | source, all
jruby | 1.5.1-1+deb6u1 | buildd-squeeze-lts/non-free | source, all
jruby | 1.5.1-1+deb6u1 | squeeze-lts/non-free| source, all
[...]
Version 1.5.1-1+deb6u1 fixes CVE-2011-4838 and CVE-2012-5370 through
DLA-209-1.
Yet https://security-tracker.debian.org/tracker/source-package/jruby
doesn't show any "squeeze (lts)" or "squeeze/non-free (lts)" column
showing that it's fixed there.
And the JSON output for those CVE pretend that the issue is still
open:
"squeeze": {
"repositories": {
"squeeze": "1.5.1-1"
},
"status": "open",
"urgency": "high**"
},
-- System Information:
Debian Release: 8.0
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'),
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Hi Raphaël,
On Donnerstag, 30. April 2015, Raphaël Hertzog wrote:
> It looks like that squeeze-lts/non-free is not handled correctly. Have a
I've finally fixed this issue with svn r34846 and deployed this to soler.d.o
and am updating the database now, so the fix shall be visible in a few
minutes.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
Bug#784436: marked as done (security-tracker: contradictory status information on security-tracker.debian.org)
Your message dated Wed, 6 May 2015 13:51:18 +0200 with message-id <20150506115118.GB17132@eldamar.local> and subject line Re: Bug#784436: security-tracker: contradictory status information on security-tracker.debian.org has caused the Debian Bug report #784436, regarding security-tracker: contradictory status information on security-tracker.debian.org to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 784436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784436 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal On https://security-tracker.debian.org/tracker/CVE-2014-3660 I can see: Release Version Status jessie2.9.1+dfsg1-5 fixed stretch 2.9.1+dfsg1-5 vulnerable i.e. the same version of the package is listed both as fixed and vulnerable! According to bug 765722, it should be fixed. This is very confusing for the user who wants to know whether some installed package is vulnerable or not. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) --- End Message --- --- Begin Message --- Hi Vincent, On Wed, May 06, 2015 at 01:06:07PM +0200, Vincent Lefevre wrote: > Package: security-tracker > Severity: normal > > On https://security-tracker.debian.org/tracker/CVE-2014-3660 I can see: > > Release Version Status > jessie2.9.1+dfsg1-5 fixed > stretch 2.9.1+dfsg1-5 vulnerable > > i.e. the same version of the package is listed both as fixed and > vulnerable! According to bug 765722, it should be fixed. > > This is very confusing for the user who wants to know whether some > installed package is vulnerable or not. I have fixed the entry in the security-tracker, thanks for reporting! Regards, Salvatore--- End Message ---
Bug#784214: marked as done (make sure regression updates are documented)
Your message dated Mon, 4 May 2015 14:49:27 +0200
with message-id <201505041449.43255.hol...@layer-acht.org>
and subject line Re: Bug#784214: allow manual override for the regression
DLA/DSA Id
has caused the Debian Bug report #784214,
regarding make sure regression updates are documented
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
784214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: security-tracker
Severity: wishlist
Tags: patch
Hi,
attached is a patch that adds manual DLA/DSA id override support if an
upload tackles a regression already announce via an earlier DSA/DLA.
Current use case / example:
xorg-server +deb6u1 (DLA-120-1) fixed CVE-2014-8092
xorg-server +deb6u2 (DLA-218-1) fixed some other CVE (irrelevant here)
xorg-server +deb6u3 (DLA-120-2) fixes CVE-2015-3418 (regression of
fix for CVE-2014-8092)
At the moment: when using bin/genDLA like this:
$ bin/gen-DLA --save xorg-server regression CVE-2015-3418
the script will create a follow-DLA for 218-1 (i.e., 218-2). Whereas
the correct/wanted DLA id would be 120-2.
The attached patch allows one to specify the DLA id to follow up on with
the "regression" keyword. Thus, with the patch applied, I can do this:
$ bin/gen-DLA --save xorg-server regression:120-1 CVE-2015-3418
which then will provide me with a DLA-120-2 mail template and put
the prepared upload of my xorg-server package into data/DLA/list.
What could be added:
o check, if the manual specified override exists and is for the same package
light+love,
Mike
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Index: bin/gen-DSA
===
--- bin/gen-DSA (revision 34054)
+++ bin/gen-DSA (working copy)
@@ -157,8 +157,12 @@
shift
TYPE=security
-if [ regression = "$1" ]; then
+REGRESSION_DAID=
+if printf '%s' "$1" | grep -Eq '^regression(|:[0-9]+(-[0-9]+|))$'; then
TYPE=regression
+if printf '%s' "$1" | grep -Eq '^regression:([0-9]+(-[0-9]+|))$'; then
+ REGRESSION_DAID=$(printf '%s' "$1" | sed -r 's/^regression:([0-9]+(-[0-9]+|))/\1/')
+fi
shift
fi
@@ -235,7 +239,11 @@
if [ -z "$DAID" ]; then
if [ "$TYPE" = regression ]; then
- latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)"
+ if [ -z "$REGRESSION_DAID" ]; then
+ latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)"
+ else
+ latest_daid="$REGRESSION_DAID"
+ fi
revision=${latest_daid#*-}
daid=${latest_daid%-*}
else
--- End Message ---
--- Begin Message ---
Hi Mike,
On Montag, 4. Mai 2015, Mike Gabriel wrote:
> Done that for the LTS team:
> https://wiki.debian.org/LTS/Development?action=diff&rev1=84&rev2=85
Thanks.
> Anywhere else?
I don't think so, this is rather clear:
$ ./bin/gen-DLA
usage: ./bin/gen-DLA [--save] [--embargoed|--unembargo] [DLA] package
[regression] [cve(s) [bugnumber(s)]]
'DLA' is the DLA number, required when issuing a revision
(same for gen-DSA)
Thus closing, thanks.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
Processed: Re: Bug#784214: allow manual override for the regression DLA/DSA Id
Processing control commands: > retitle -1 make sure regression updates are documented Bug #784214 [security-tracker] allow manual override for the regression DLA/DSA Id Changed Bug title to 'make sure regression updates are documented' from 'allow manual override for the regression DLA/DSA Id' > tags -1 - patch Bug #784214 [security-tracker] make sure regression updates are documented Removed tag(s) patch. -- 784214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784214 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b784214.14307269522751.transcr...@bugs.debian.org
Bug#761859: marked as done (security-tracker: please provide more information via JSON file for tracker.d.o)
Your message dated Mon, 27 Apr 2015 16:23:18 +0200 with message-id <201504271623.20630.hol...@layer-acht.org> and subject line Re: Bug#761859: security-tracker json deployed has caused the Debian Bug report #761859, regarding security-tracker: please provide more information via JSON file for tracker.d.o to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 761859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: tracker.debian.org severity: wishlist x-debbugs-cc: debian-security-tracker@lists.debian.org Hi, the information gathered in the security-tracker should be displayed in the package tracker.d.o. There is an interface for it, see https://security-tracker.debian.org/tracker/data/pts/1 This file lists source packages and the number of security issues. If there is none, no issues exist. Each source package has a URL of the form https://security-tracker.debian.org/tracker/source-package/bind9 Please implement this linking :-) cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- Hi Raphael, On Montag, 20. April 2015, Raphael Hertzog wrote: > I just noticed that DLA/DSA end up referenced as security issues. See > for example DLA-204-1 and DLA-27-1 assigned to "file". > > Is that on purpose? no, fixed now. Thanks for reporting this issue! I'm closing the bug now, feel free to reopen or file new ones if needed! cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Bug#762289: marked as done (security-tracker: link to new pts)
Your message dated Tue, 17 Mar 2015 19:27:00 +0100 with message-id <201503171927.01709.hol...@layer-acht.org> and subject line Re: Bug#762289: switching PTS links to tracker.d.o has caused the Debian Bug report #762289, regarding security-tracker: link to new pts to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762289 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: security-tracker severity: wishlist The security-tracker source package pages currently link to the old pts, which has some issues like not knowing about lts. Please link to the new pts (tracker.debian.org), which does understand lts. Best wishes, Mike --- End Message --- --- Begin Message --- Hi, On Dienstag, 10. März 2015, Henri Salo wrote: > Am I allowed to approve this change profoundly? very much appreciated! :) the change is now live, the actual link text still says "$pkg in the Package Tracking System"... (as it's still such a system...) cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Processed: block 776428 with 761859
Processing commands for cont...@bugs.debian.org: > block 776428 with 761859 Bug #776428 [tracker.debian.org] tracker.debian.org: Add a link to the Security Bug Tracker 776428 was not blocked by any bugs. 776428 was not blocking any bugs. Added blocking bug(s) of 776428: 761859 > thanks Stopping processing here. Please contact me if you need assistance. -- 776428: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.142510613531163.transcr...@bugs.debian.org
Processed: security-tracker json deployed
Processing control commands: > tags -1 + pending Bug #761859 [security-tracker] security-tracker: please provide more information via JSON file for tracker.d.o Added tag(s) pending. -- 761859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b761859.142496699925577.transcr...@bugs.debian.org
Bug#777456: marked as done (security-tracker: DSA-2978-2 vs. tracker)
Your message dated Sun, 8 Feb 2015 15:04:49 +0100 with message-id <20150208140449.GA3429@eldamar.local> and subject line Re: Bug#777456: security-tracker: DSA-2978-2 vs. tracker has caused the Debian Bug report #777456, regarding security-tracker: DSA-2978-2 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 777456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello again, there seems to be a typo in the tracker page for CVE-2014-3660 [1]: it states that the vulnerability is fixed in jessie by libxml2/2.9.1+dfsg1-5 , while DSA-2978-2 [2] says that the fixed version is 2.9.1+dfsg1-4 ... Please fix the tracker data, if this is really a typo. Thanks for your time! [1] https://security-tracker.debian.org/tracker/CVE-2014-3660 [2] https://lists.debian.org/debian-security-announce/2015/msg00039.html --- End Message --- --- Begin Message --- Hi Francesco, Thanks for your quick follow-up, really appreicated! On Sun, Feb 08, 2015 at 02:43:52PM +0100, Francesco Poli wrote: > On Sun, 8 Feb 2015 13:58:36 +0100 Salvatore Bonaccorso wrote: > > [...] > > The situation for the update in DSA-2978-2 is actually a bit > > complicated. > [...] > > I see... > > > So I would say (unless I now missed something) all the versions in > > tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5 > > already, since it is not yet approved), > > Yep, I agree. > > [...] > > So I would tend to close this bug, right away, or wait until > > 2.9.1+dfsg1-5 is accepted into jessie via t-p-u, > > Please feel free to do as you prefer. > The tracker is not incorrect, it just talks about a not-yet-available > version... > I hope that version gets accepted soon into t-p-u. I hope so as well. So I'm closing this bugreport. Thanks for your continous contributions to have these glitches in tracker data fixed! Salvatore--- End Message ---
Bug#777458: marked as done (security-tracker: DSA-3156-1 vs. tracker)
Your message dated Sun, 8 Feb 2015 13:32:26 +0100 with message-id <20150208123226.GA25923@eldamar.local> and subject line Re: Bug#777458: security-tracker: DSA-3156-1 vs. tracker has caused the Debian Bug report #777458, regarding security-tracker: DSA-3156-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 777458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777458 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi again, DSA-3156-1 [1] states that CVE-2013-6933 is fixed in wheezy by vlc/2.0.3-5+deb7u2+b1 and mplayer/2:1.0~rc4.dfsg1+svn34540-1+deb7u1 . The CVE tracker page [2] seems to be unaware of these two fixed versions for vlc and mplayer. I don't know whether a binNMU can be correctly tracked, but I think that at least the fixed version for mplayer should be tracked... Please fix the tracker data. Thanks for your time! [1] https://lists.debian.org/debian-security-announce/2015/msg00041.html [2] https://security-tracker.debian.org/tracker/CVE-2013-6933 --- End Message --- --- Begin Message --- Hi Francesco, On Sun, Feb 08, 2015 at 12:47:10PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi again, > DSA-3156-1 [1] states that CVE-2013-6933 is fixed in wheezy by > vlc/2.0.3-5+deb7u2+b1 and mplayer/2:1.0~rc4.dfsg1+svn34540-1+deb7u1 . > The CVE tracker page [2] seems to be unaware of these two fixed > versions for vlc and mplayer. > > I don't know whether a binNMU can be correctly tracked, but I think > that at least the fixed version for mplayer should be tracked... I have done so now and should show up soon on next sectracker update. For vlc this is indeed not possible right now. Regards, Salvatore--- End Message ---
Bug#777454: marked as done (security-tracker: DSA-3155-1 vs. tracker)
Your message dated Sun, 8 Feb 2015 13:02:53 +0100 with message-id <20150208120253.GA23743@eldamar.local> and subject line Re: Bug#777454: security-tracker: DSA-3155-1 vs. tracker has caused the Debian Bug report #777454, regarding security-tracker: DSA-3155-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 777454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777454 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everybody, there seems to be something weird going on. The tracker page [1] for DSA-3155-1 [2] looks OK: it states that the vulnerabilities are fixed in wheezy by postgresql-9.1/9.1.15-0+deb7u1 (in agreement with the DSA itself). On the other hand, the CVE tracker pages [3][4][5][6], despite being linked to DSA-3155-1, disagree with it, claiming that wheezy is still vulnerable. I thought that this was not even possible in the tracker! Apparently I was wrong... What did I fail to understand? Please fix the tracker data. Thanks for your time! [1] https://security-tracker.debian.org/tracker/DSA-3155-1 [2] https://lists.debian.org/debian-security-announce/2015/msg00038.html [3] https://security-tracker.debian.org/tracker/CVE-2014-8161 [4] https://security-tracker.debian.org/tracker/CVE-2015-0241 [5] https://security-tracker.debian.org/tracker/CVE-2015-0243 [6] https://security-tracker.debian.org/tracker/CVE-2015-0244 --- End Message --- --- Begin Message --- Hi, On Sun, Feb 08, 2015 at 12:24:54PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everybody, > there seems to be something weird going on. > > The tracker page [1] for DSA-3155-1 [2] looks OK: it states > that the vulnerabilities are fixed in wheezy by > postgresql-9.1/9.1.15-0+deb7u1 (in agreement with the DSA itself). > > On the other hand, the CVE tracker pages [3][4][5][6], despite > being linked to DSA-3155-1, disagree with it, claiming that wheezy > is still vulnerable. > > I thought that this was not even possible in the tracker! > Apparently I was wrong... > What did I fail to understand? We added a workaround to display postgresql-9.1 as unfixed in wheezy-security while a DSA was not yet released. This should be fixed by now. Regards, Salvatore--- End Message ---
Bug#776878: marked as done (security-tracker: DSA-3149-1 vs. tracker)
Your message dated Mon, 2 Feb 2015 22:21:10 +0100 with message-id <20150202212110.GA14899@eldamar.local> and subject line Re: Bug#776878: security-tracker: DSA-3149-1 vs. tracker has caused the Debian Bug report #776878, regarding security-tracker: DSA-3149-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776878 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi, the tracker page [1] for DSA-3149-1 [2] seems to lack the link to the relevant CVE [3]. Please fix the tracker data. Thanks for your time. [1] https://security-tracker.debian.org/tracker/DSA-3149-1 [2] https://lists.debian.org/debian-security-announce/2015/msg00033.html [3] https://security-tracker.debian.org/tracker/CVE-2014-8126 --- End Message --- --- Begin Message --- Ciao Francesco, On Mon, Feb 02, 2015 at 08:58:10PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi, > the tracker page [1] for DSA-3149-1 [2] seems to lack the link to > the relevant CVE [3]. Thanks fixed! Regards, Salvatore--- End Message ---
Bug#582196: marked as done ("regression fix" dsa's should not alter previous fixed version info)
Your message dated Sat, 31 Jan 2015 18:33:05 -0500
with message-id
and subject line Re: Bug#582196: marked as done ("regression fix" dsa's should
not alter previous fixed version info)
has caused the Debian Bug report #582196,
regarding "regression fix" dsa's should not alter previous fixed version info
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
582196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: security-tracker
dsa's that only provide regression fixes end up overriding old fixed
version info, which makes it appear that the previous version was
vulnerable in tracker views. this should be fixed. see:
http://lists.debian.org/debian-security-tracker/2010/05/msg00027.html
--- End Message ---
--- Begin Message ---
On Sat, Jan 17, 2015 at 9:55 AM, Thijs Kinkhorst wrote:
> I'm not quite sure what needs to happen here. I agree with Moritz that the
> correct way of tracking is not to add -2 DSA's to DSA/list and I think
> that's the current MO.
I agree.
Best wishes,
Mike--- End Message ---
Bug#776718: marked as done (security-tracker: DSA-3146-1 vs. tracker)
Your message dated Sat, 31 Jan 2015 11:21:37 -0500 with message-id and subject line Re: Bug#776718: security-tracker: DSA-3146-1 vs. tracker has caused the Debian Bug report #776718, regarding security-tracker: DSA-3146-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776718: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776718 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello, the tracker page [1] for DSA-3146-1 [2] seems to lack the links to the relevant CVEs [3][4]. Please update the tracker data. Thanks for your time. [1] https://security-tracker.debian.org/tracker/DSA-3146-1 [2] https://lists.debian.org/debian-security-announce/2015/msg00029.html [3] https://security-tracker.debian.org/tracker/CVE-2014-1829 [4] https://security-tracker.debian.org/tracker/CVE-2014-1830 --- End Message --- --- Begin Message --- On Sat, Jan 31, 2015 at 11:11 AM, Francesco Poli (wintermute) wrote: > the tracker page [1] for DSA-3146-1 [2] seems to lack the links to > the relevant CVEs [3][4]. Fixed. Thanks! Best wishes, Mike--- End Message ---
Bug#776224: marked as done (security-tracker: DSA-3139-1 vs. tracker)
Your message dated Mon, 26 Jan 2015 08:24:12 +0100 with message-id <20150126072412.ga23...@lorien.valinor.li> and subject line Re: Bug#776224: security-tracker: DSA-3139-1 vs. tracker has caused the Debian Bug report #776224, regarding security-tracker: DSA-3139-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everybody, the tracker page [1] for DSA-3139-1 [2] seems to lack the link to CVE-2014-3609 [3]. Please fix the tracker data. Thanks for your time! [1] https://security-tracker.debian.org/tracker/DSA-3139-1 [2] https://lists.debian.org/debian-security-announce/2015/msg00022.html [3] https://security-tracker.debian.org/tracker/CVE-2014-3609 --- End Message --- --- Begin Message --- Hi Francesco, On Sun, Jan 25, 2015 at 06:06:23PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everybody, > the tracker page [1] for DSA-3139-1 [2] seems to lack the link to > CVE-2014-3609 [3]. Thanks, I have added the cross-reference, should show up soon. Regards, Salvatore--- End Message ---
Bug#529788: marked as done (Display all bugs, which don't have a bug filed)
Your message dated Sun, 18 Jan 2015 12:09:06 +0100 with message-id <87zj9gtkfh@mid.deneb.enyo.de> and subject line Re: Bug#529788: Display all bugs, which don't have a bug filed has caused the Debian Bug report #529788, regarding Display all bugs, which don't have a bug filed to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 529788: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529788 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist The web interface of the security tracker should get a new view which displays all bugs marked as unfixed which don't have a bug associated. This makes it easier to find the bugs which still need to be triaged (even it only means to file a bug and ask the maintainer to investigate) or find existing bugs which need to added to the tracker data. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash --- End Message --- --- Begin Message --- * Moritz Muehlenhoff: > The web interface of the security tracker should get a new view > which displays all bugs marked as unfixed which don't have a > bug associated. This is now available at: <https://security-tracker.debian.org/tracker/status/unreported> The implemented variant only looks at unstable and excludes vulnerabilties which are marked as unimportant and whose package is no longer at unstable.--- End Message ---
Bug#769128: marked as done (security-tracker: Extra-Source-Only source packages need to be filtered out)
Your message dated Sun, 18 Jan 2015 00:33:03 +0100 with message-id <87a91hvv80@mid.deneb.enyo.de> and subject line Re: Bug#769128: security-tracker: Extra-Source-Only source packages need to be filtered out has caused the Debian Bug report #769128, regarding security-tracker: Extra-Source-Only source packages need to be filtered out to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 769128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769128 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal The security tracker currently displays some packages, e.g. kfreebsd-8 or src:eglibc which are not actually in jessie/sid. Packages having Extra-Source-Only: yes in the Sources file need to be filtered out. See #759356 and #699268 for more information. Cheers, Moritz --- End Message --- --- Begin Message --- * Moritz Muehlenhoff: > Package: security-tracker > Severity: normal > > The security tracker currently displays some packages, e.g. kfreebsd-8 or > src:eglibc > which are not actually in jessie/sid. Packages having Extra-Source-Only: yes > in the > Sources file need to be filtered out. See #759356 and #699268 for more > information. I've implemented that, entries with Extra-Source-Only: are filtered. (I'll add another check for "yes".)--- End Message ---
Bug#718362: marked as done (security-tracker: packages that are only in experimental are considered not in the debian archive)
Your message dated Sat, 17 Jan 2015 23:54:06 +0100 with message-id <87mw5hvx0x@mid.deneb.enyo.de> and subject line Re: Bug#718362: security-tracker: packages that are only in experimental are considered not in the debian archive has caused the Debian Bug report #718362, regarding security-tracker: packages that are only in experimental are considered not in the debian archive to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 718362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718362 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: security-tracker severity: normal The list of unknown packages currently has a lot of noise since it lists all packages that are in experimental, but not in any other release: https://security-tracker.debian.org/tracker/data/unknown-packages An example (at least right now), see apport. Best wishes, Mike --- End Message --- --- Begin Message --- * Michael Gilbert: > The list of unknown packages currently has a lot of noise since it > lists all packages that are in experimental, but not in any other > release: > https://security-tracker.debian.org/tracker/data/unknown-packages Luciano wrote a script to update the removed-packages file, and I added some magic to deal with packages in experimental, using the [experimental] annotiation in CVE/list (which essentially disables the typo check for those packages). This means that the unknown packages overview is now usable again.--- End Message ---
Processed: Re: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
Processing commands for cont...@bugs.debian.org:
> tags 508031 wontfix
Bug #508031 {Done: Moritz Mühlenhoff } [security-tracker]
Tracking vulnerabilities that have already been patched in other distributions
Added tag(s) wontfix.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
508031: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508031
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/handler.s.c.142150711927788.transcr...@bugs.debian.org
Bug#508031: marked as done (Tracking vulnerabilities that have already been patched in other distributions)
Your message dated Sat, 17 Jan 2015 16:03:26 +0100 with message-id <20150117150326.GA21958@pisco.westfalen.local> and subject line closing has caused the Debian Bug report #508031, regarding Tracking vulnerabilities that have already been patched in other distributions to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 508031: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508031 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important Oftentimes, a fix gets released for other distributions, and then it takes weeks or months for Debian to apply the same fix. I wonder if this is primarily a communication issue and whether including this type of information in the tracker would help reduce this lag. The intent would be to increase the security team/package maintainers awareness of existing patches. Some current examples (not a comprehensive list, I only spent 5 minutes on this): CVE-2008-4552: fixed in ubuntu [1] CVE-2008-2379: fixed in fedora [2] I'm considering the severity important since leaving user's systems vulnerable while a fix exists is a very bad thing. If I get the time, I may look at trying to add this myself, but no guarantees. So if anyone else is interested in the problem, go for it. Mike [1] http://www.ubuntu.com/usn/USN-687-1 [2] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00232.html --- End Message --- --- Begin Message --- We've discussed this during the security team meeting and decided to close the bug: There are no other distributions which publish parseable data and we already have links to other bug trackers.--- End Message ---
Processed: Re: Bug#582196: marked as done ("regression fix" dsa's should not alter previous fixed version info)
Processing commands for cont...@bugs.debian.org: > tags 582196 moreinfo Bug #582196 [security-tracker] "regression fix" dsa's should not alter previous fixed version info Added tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 582196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582196 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.142150656224223.transcr...@bugs.debian.org
Bug#773842: marked as done (security-tracker: DSA-3110-1 vs. tracker)
Your message dated Wed, 24 Dec 2014 07:30:02 +0100 with message-id <20141224063002.ga2...@lorien.valinor.li> and subject line Re: Bug#773842: security-tracker: DSA-3110-1 vs. tracker has caused the Debian Bug report #773842, regarding security-tracker: DSA-3110-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773842 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello. Another DSA [1] seems to lack an epoch in the stable fixed version. The tracker data [2] should be fixed. [1] https://lists.debian.org/debian-security-announce/2014/msg00303.html [2] https://security-tracker.debian.org/tracker/DSA-3110-1 P.S.: This kind of issues with DSAs lacking epochs seems to be really frequent: I think the DSA authors should be asked to always include the correct epoch in the mentioned versions! What do you think? --- End Message --- --- Begin Message --- Hi Francesco, On Tue, Dec 23, 2014 at 10:57:09PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello. > > Another DSA [1] seems to lack an epoch in the stable fixed version. > The tracker data [2] should be fixed. > > [1] https://lists.debian.org/debian-security-announce/2014/msg00303.html > [2] https://security-tracker.debian.org/tracker/DSA-3110-1 > > P.S.: This kind of issues with DSAs lacking epochs seems to be really > frequent: I think the DSA authors should be asked to always > include the correct epoch in the mentioned versions! > What do you think? Thank you I have corrected the tracker information. Since the epoch is part of the package version, it clearly should be included. The recent cases were I think simply overlooking/human error (which can happen) on DSA writers side. Let's see that we manage that this does not happen too often. Thanks for your overall work always checking the issues! Really appreciated. Regards, Salvatore--- End Message ---
Bug#773322: marked as done (security-tracker: DSA-3104-1 vs. tracker)
Your message dated Wed, 17 Dec 2014 16:19:23 +0100 with message-id <20141217151923.ga19...@home.ouaza.com> and subject line Re: Bug#773322: security-tracker: DSA-3104-1 vs. tracker has caused the Debian Bug report #773322, regarding security-tracker: DSA-3104-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773322: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773322 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! DSA-3104-1 [1] states, in part: | An older security vulnerability, CVE-2004-2771, had already | been addressed in the Debian's bsd-mailx package. However, the tracker [2] seems to disagree, as it claims that all versions of bsd-mailx in Debian are currently vulnerable... I think the problem is an extra epoch in the (unstable) fixed version for bsd-mailx: this time the epoch is in the tracker data, but not in the actual package versions (contrary to the usual missing epoch issues that I frequently spot!). Please fix the tracker data. Thanks for your time! [1] https://lists.debian.org/debian-security-announce/2014/msg00294.html [2] https://security-tracker.debian.org/tracker/CVE-2004-2771 --- End Message --- --- Begin Message --- Hi, On Tue, 16 Dec 2014, Francesco Poli (wintermute) wrote: > | An older security vulnerability, CVE-2004-2771, had already > | been addressed in the Debian's bsd-mailx package. > > However, the tracker [2] seems to disagree, as it claims that > all versions of bsd-mailx in Debian are currently vulnerable... > I think the problem is an extra epoch in the (unstable) fixed > version for bsd-mailx: this time the epoch is in the tracker data, > but not in the actual package versions (contrary to the usual > missing epoch issues that I frequently spot!). That's right. The bug has been fixed in mailx 1:8.1.2-0.20040524cvs-2 but when the source package has been renamed to bsd-mailx, the epoch has been dropped so we should drop it too in the fixed version in the CVE tracker. Fix committed. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/--- End Message ---
Bug#773298: marked as done (security-tracker: DLA-112-1 miscrepancy)
Your message dated Tue, 16 Dec 2014 20:15:05 +0100 with message-id <201412162015.17720.hol...@layer-acht.org> and subject line Re: Bug#773298: security-tracker: DLA-112-1 miscrepancy has caused the Debian Bug report #773298, regarding security-tracker: DLA-112-1 miscrepancy to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773298 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Dear Maintainer, https://security-tracker.debian.org/tracker/DLA-112-1 and https://security-tracker.debian.org/tracker/CVE-2014-8500 show the issue fixed in bind9 version 1:9.7.3.dfsg-1~squeeze11 while it's only fixed in squeeze-lts, 1:9.7.3.dfsg-1~squeeze13 1:9.7.3.dfsg-1~squeeze11 present in squeeze and squeeze-security repos ought to show as vulnerable. Regards, Zoran --- End Message --- --- Begin Message --- Hi Zoran, On Dienstag, 16. Dezember 2014, Zoran Dželajlija wrote: > https://security-tracker.debian.org/tracker/DLA-112-1 and > https://security-tracker.debian.org/tracker/CVE-2014-8500 > show the issue fixed in bind9 version 1:9.7.3.dfsg-1~squeeze11 > while it's only fixed in squeeze-lts, 1:9.7.3.dfsg-1~squeeze13 thanks for your bugreport, I've just commited a fix- [20:14] < KGB-2> | holger r30783 data/ DLA/list CVE/list [20:14] < KGB-2> mark CVE-2014-8500 correctly fixed in bind9 version 1:9.7.3.dfsg-1~squeeze13, thanks to Zoran and Raphael cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Bug#772927: marked as done (security-tracker: please link source package names the corresponding tracker web page)
Your message dated Mon, 15 Dec 2014 20:45:32 +0100 with message-id <201412152045.45238.hol...@layer-acht.org> and subject line Re: Bug#772927: security-tracker: please link source package names the corresponding tracker web page has caused the Debian Bug report #772927, regarding security-tracker: please link source package names the corresponding tracker web page to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772927 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: wishlist Hello, I would like to have links in the "Package" column on "by-release overview" pages (e.g. https://security-tracker.debian.org/tracker/status/release/oldstable) and the links should point to the corresponding "by-source package overview" page (e.g. https://security-tracker.debian.org/tracker/source-package/binutils). Thank you! -- System Information: Debian Release: 8.0 APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Hi Raphaël, On Freitag, 12. Dezember 2014, Raphaël Hertzog wrote: > I would like to have links in the "Package" column on "by-release > overview" pages (e.g. > https://security-tracker.debian.org/tracker/status/release/oldstable) > and the links should point to the corresponding "by-source package > overview" page (e.g. > https://security-tracker.debian.org/tracker/source-package/binutils). thanks for the bug report, I want(ed) this too and have implemented and deployed this now. cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Bug#773100: marked as done (security-tracker: DSA-3100-1 vs. tracker)
Your message dated Sun, 14 Dec 2014 11:56:32 +0100 with message-id <201412141156.39452.hol...@layer-acht.org> and subject line Re: Bug#773100: security-tracker: DSA-3100-1 vs. tracker has caused the Debian Bug report #773100, regarding security-tracker: DSA-3100-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773100 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi all! DSA-3100-1 [1] seems to lack an epoch in the stable fixed version. The tracker reflects the DSA [2]: please fix the tracker data! Thanks for your time. [1] https://lists.debian.org/debian-security-announce/2014/msg00290.html [2] https://security-tracker.debian.org/tracker/DSA-3100-1 --- End Message --- --- Begin Message --- On Sonntag, 14. Dezember 2014, Francesco Poli (wintermute) wrote: > DSA-3100-1 [1] seems to lack an epoch in the stable fixed version. > The tracker reflects the DSA [2]: please fix the tracker data! fixed in git^wsvn, thanks! signature.asc Description: This is a digitally signed message part. --- End Message ---
Processed: please also mention SUAs on www.debian.org
Processing commands for cont...@bugs.debian.org: > clone 762255 -1 Bug #762255 [www.debian.org] "collect DLAs on www.d.o" Bug 762255 cloned as bug 772822 772822 was not blocked by any bugs. 772822 was blocking: 761945 Added blocking bug(s) of 772822: 761945 > retitle -1 "please also mention SUAs and d-s-a@l.d.o on .debian.org" Bug #772822 [www.debian.org] "collect DLAs on www.d.o" Changed Bug title to '"please also mention SUAs and d-s-a@l.d.o on .debian.org"' from '"collect DLAs on www.d.o"' > thanks Stopping processing here. Please contact me if you need assistance. -- 762255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762255 772822: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772822 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.14183025134965.transcr...@bugs.debian.org
Bug#772775: marked as done (security-tracker: DSA-3095-1 vs. tracker)
Your message dated Thu, 11 Dec 2014 05:16:22 +0100 with message-id <20141211041622.GA17564@eldamar.local> and subject line Re: Bug#772775: security-tracker: DSA-3095-1 vs. tracker has caused the Debian Bug report #772775, regarding security-tracker: DSA-3095-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello! It seems to me that DSA-3095-1 [1] lacks an epoch in the stable fixed version. The tracker reflects the DSA [2]: please fix the tracker data! Thanks for your time. [1] https://lists.debian.org/debian-security-announce/2014/msg00285.html [2] https://security-tracker.debian.org/tracker/DSA-3095-1 --- End Message --- --- Begin Message --- Hello Francesco, On Wed, Dec 10, 2014 at 11:59:40PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello! > > It seems to me that DSA-3095-1 [1] lacks an epoch in the stable fixed > version. > The tracker reflects the DSA [2]: please fix the tracker data! > > Thanks for your time. Thanks! Fixed now. Regards, Salvatore--- End Message ---
Bug#771121: marked as done (security-tracker: often returns "502 Proxy Error")
Your message dated Sat, 29 Nov 2014 11:41:09 +0100 with message-id <87wq6eqofu@mid.deneb.enyo.de> and subject line Re: Bug#771121: security-tracker: often returns "502 Proxy Error" has caused the Debian Bug report #771121, regarding security-tracker: often returns "502 Proxy Error" to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 771121: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771121 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: important Hello everybody! I have been experiencing frequent issues with the web interface of the security tracker for some weeks and I am still experiencing them: when visiting the tracker pages [1], I often get the following error message in my browser: | Proxy Error | | The proxy server received an invalid response from an upstream server. | The proxy server could not handle the request GET /tracker/DSA-3077-1. | | Reason: Error reading from remote server | | Apache Server at security-tracker.debian.org Port 443 After a (variable) number of attempts, the web server finally decides that the page is to be served and everything seems to work fine, until another error message appears when visiting some other page. Am I the only one who experiences such issues? I was hoping to see the problem fixed, but no joy yet... Could someone please investigate the issue and fix it? Thanks a lot for your time! Bye. [1] such as, for instance, https://security-tracker.debian.org/tracker/DSA-3077-1 --- End Message --- --- Begin Message --- * Francesco Poli: > I have been experiencing frequent issues with the web interface of the > security tracker for some weeks and I am still experiencing them: > when visiting the tracker pages [1], I often get the following error > message in my browser: > > | Proxy Error > | > | The proxy server received an invalid response from an upstream server. > | The proxy server could not handle the request GET /tracker/DSA-3077-1. > | > | Reason: Error reading from remote server > | > | Apache Server at security-tracker.debian.org Port 443 I think I may have fixed this in r30431, at least for the time being. The reason for the issue was that threading support was not actually active in the Python backend. However, there might now be other issues because the code has never been tested with threading (but I was careful when I wrote it not to use global variables for passing around data, so hopefully there won't be any problems). The fix is only temporary because at a certain point, broken bots scraping information from the HTML pages may overload the server again. There are several of them requesting the same CVE page again and again, but it's difficult tell what's actually going because of the privacy-enhanced logging.--- End Message ---
Bug#767654: marked as done (security-tracker: DSA-3061-1 vs. tracker)
Your message dated Sun, 2 Nov 2014 19:17:01 +0100
with message-id <20141102181701.GA20845@eldamar.local>
and subject line Re: Bug#767654: security-tracker: DSA-3061-1 vs. tracker
has caused the Debian Bug report #767654,
regarding security-tracker: DSA-3061-1 vs. tracker
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
767654: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767654
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: security-tracker
Severity: normal
Hi all!
DSA-3061-1 [1] states that several vulnerabilities are fixed in sid
by icedove/31.2.0-1, but the tracker [2] seems to disagree (claiming
that sid is still unfixed).
[1] https://lists.debian.org/debian-security-announce/2014/msg00249.html
[2] https://security-tracker.debian.org/tracker/DSA-3061-1
Please update the tracker data.
Thanks for your time!
Bye.
--- End Message ---
--- Begin Message ---
Hi Francesco,
On Sun, Nov 02, 2014 at 06:48:24PM +0100, Francesco Poli wrote:
> Control: reopen -1
>
>
> On Sun, 2 Nov 2014 15:28:40 +0100 Salvatore Bonaccorso wrote:
>
> > Hi Francesco,
>
> Hi Salvatore!
>
> >
> > On Sat, Nov 01, 2014 at 06:32:03PM +0100, Francesco Poli (wintermute) wrote:
> [...]
> > > Please update the tracker data.
> > > Thanks for your time!
> >
> > Thanks too! I have fixed the tracker information now.
>
> Good, except that I {don't|no longer} see the reference to
> CVE-2014-1583 on the tracker...
> I am thus reopening the bug report.
>
> Unless this is mistake in the DSA, please add the link (between
> DSA-3061-1 and CVE-2014-1583) to the tracker.
Yes I have removed the reference for CVE-2014-1583 in the tracker. It
only affects icewasel[1]. It is also removed for DSA-3061-1, but there
you need to wait that the webpage is updated, which I think it is
now[2].
[1] https://www.mozilla.org/security/advisories/mfsa2014-82/
[2] https://www.debian.org/security/2014/dsa-3061
Regards,
Salvatore--- End Message ---
Processed: Re: Bug#767654: security-tracker: DSA-3061-1 vs. tracker
Processing control commands:
> reopen -1
Bug #767654 {Done: Salvatore Bonaccorso } [security-tracker]
security-tracker: DSA-3061-1 vs. tracker
Bug reopened
Ignoring request to alter fixed versions of bug #767654 to the same values
previously set
--
767654: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767654
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/handler.s.b767654.14149505546364.transcr...@bugs.debian.org
Bug#767654: marked as done (security-tracker: DSA-3061-1 vs. tracker)
Your message dated Sun, 2 Nov 2014 15:28:40 +0100 with message-id <20141102142840.GA2454@eldamar.local> and subject line Re: Bug#767654: security-tracker: DSA-3061-1 vs. tracker has caused the Debian Bug report #767654, regarding security-tracker: DSA-3061-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 767654: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi all! DSA-3061-1 [1] states that several vulnerabilities are fixed in sid by icedove/31.2.0-1, but the tracker [2] seems to disagree (claiming that sid is still unfixed). [1] https://lists.debian.org/debian-security-announce/2014/msg00249.html [2] https://security-tracker.debian.org/tracker/DSA-3061-1 Please update the tracker data. Thanks for your time! Bye. --- End Message --- --- Begin Message --- Hi Francesco, On Sat, Nov 01, 2014 at 06:32:03PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi all! > DSA-3061-1 [1] states that several vulnerabilities are fixed in sid > by icedove/31.2.0-1, but the tracker [2] seems to disagree (claiming > that sid is still unfixed). > > [1] https://lists.debian.org/debian-security-announce/2014/msg00249.html > [2] https://security-tracker.debian.org/tracker/DSA-3061-1 > > Please update the tracker data. > Thanks for your time! Thanks too! I have fixed the tracker information now. Regards, Salvtore--- End Message ---
Bug#766412: marked as done (security-tracker: DSA-3049-1 vs. tracker)
Your message dated Thu, 23 Oct 2014 09:00:07 +0200 with message-id <20141023070007.ga21...@lorien.valinor.li> and subject line Re: Bug#766412: security-tracker: DSA-3049-1 vs. tracker has caused the Debian Bug report #766412, regarding security-tracker: DSA-3049-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 766412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hello everybody! DSA-3049-1 [1] states that several vulnerabilities are fixed in sid and jessie by wireshark/1.12.1+g01b65bf-1, but the tracker [2] seems to disagree for CVE-2014-6422 (which is claimed to still affect both sid and jessie). [1] https://lists.debian.org/debian-security-announce/2014/msg00236.html [2] https://security-tracker.debian.org/tracker/CVE-2014-6422 Please update the tracker data. Thanks for your time! Bye. --- End Message --- --- Begin Message --- Hi Francesco, On Wed, Oct 22, 2014 at 11:38:21PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello everybody! > DSA-3049-1 [1] states that several vulnerabilities are fixed in sid and > jessie by wireshark/1.12.1+g01b65bf-1, but the tracker [2] seems to > disagree for CVE-2014-6422 (which is claimed to still affect both sid > and jessie). > > [1] https://lists.debian.org/debian-security-announce/2014/msg00236.html > [2] https://security-tracker.debian.org/tracker/CVE-2014-6422 > > Please update the tracker data. The reason this entry was not updated so far lies in the TODO entry in the tracker, for the issue to be checked: TODO: check, 1.12 series possibly not affected (only 1.10.0 to 1.10.9) This was needed to be checked before, if it affects 1.12 at all, since advisory mentioned only the 1.10 series. I just quickly checked version 1.12.1+g01b65bf-1 in unstable which seems to contain the fix. Indeed it was even fixed in 1.11.3 upstream, so marking the tracker with the first version in unstable containing the fix (1.12.0+git+4fab41a1-1). Thank you for noticing the incositency. Regards, Salvatore--- End Message ---
Bug#764091: marked as done (security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages)
Your message dated Mon, 6 Oct 2014 15:51:19 +0200 with message-id <201410061551.26432.hol...@layer-acht.org> and subject line Re: Bug#764091: security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages has caused the Debian Bug report #764091, regarding security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 764091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi After the changes in #761889 when a CVE affects multiple source packages the vulnerable and fixed packages the table sorts only by release. So now for example CVE-2014-0207 shows: Source Package Release Version Status file (PTS) squeeze (security), squeeze 5.04-5+squeeze5 vulnerable php5 (PTS) squeeze (security), squeeze 5.3.3-7+squeeze19 vulnerable file (PTS) squeeze (lts) 5.04-5+squeeze7 fixed php5 (PTS) squeeze (lts) 5.3.3-7+squeeze22 fixed file (PTS) wheezy 5.11-2+deb7u3 vulnerable php5 (PTS) wheezy 5.4.4-14+deb7u11 vulnerable file (PTS) wheezy (security) 5.11-2+deb7u5 fixed php5 (PTS) wheezy (security) 5.4.4-14+deb7u14 fixed file (PTS) jessie, sid 1:5.19-2 fixed php5 (PTS) jessie, sid 5.6.0+dfsg-16 fixed Please have the table first group again by source package and then within this table sort by release, like: Source Package Release Version Status file (PTS) squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze7 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u5 fixed jessie, sid 1:5.19-2 fixed php5 (PTS) squeeze, squeeze (security) 5.3.3-7+squeeze19 vulnerable squeeze (lts) 5.3.3-7+squeeze21 fixed wheezy 5.4.4-14+deb7u11 vulnerable wheezy (security) 5.4.4-14+deb7u14 fixed jessie, sid 5.6.0+dfsg-1 fixed Regards, Salvatore --- End Message --- --- Begin Message --- Hi Salvatore, On Sonntag, 5. Oktober 2014, Salvatore Bonaccorso wrote: > After the changes in #761889 when a CVE affects multiple source > packages the vulnerable and fixed packages the table sorts only by > release. > > So now for example CVE-2014-0207 shows: > > Please have the table first group again by source package and then > within this table sort by release, like: thanks for the very understandable bugreport, fixed in git/svn and deployed to the tracker! cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Bug#761889: marked as done (decide about desired ordering of releases and issues)
Your message dated Fri, 3 Oct 2014 09:47:43 +0200 with message-id <201410030947.45335.hol...@layer-acht.org> and subject line Re: Bug#761889: decide about desired ordering of releases and issues has caused the Debian Bug report #761889, regarding decide about desired ordering of releases and issues to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 761889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761889 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: security-tracker Hi, the ordering of the releases (sid, jessie, wheezy...) and issues (open and resolved CVEs, DSAs, etc) is not consistent in the tracker web ui (and was undeterministic in parts). So what do we have, there are basically two views: package-centric, like https://security-tracker.debian.org/tracker/source- package/bind9 and issue-centric, like https://security- tracker.debian.org/tracker/CVE-2014-0591 Both list the releases in their page header, the issue-view lists oldest release on top, the package view is undeterministic (aka buggy, compare bind9 vs linux). So that issue #1. The issue-view then lists affected releases, also with oldest release on top. Then it lists releases with fixed versions, with the newest releases on top - no, actually unsorted. So thats #2 So that should probably be fixed to also list the oldest release on top. Agreed? Then, the package view lists releases in the "open issues" table, with the oldest on the left. So except for this one issue, the releases are ordered consistently now. Second question: is that the prefered ordering, or should newer release be on the left/top? That's #3 even though it's just a question, thats one of the main questions to decide here! The second main question is the issue ordering: In the issue view, "open issues", "open unimportant issues" and "resolved issues" are all sorted with the oldest on top. "Security annoncements" are sorted with the newest on top. I think it's rather clear, that "resolved issues" should be sorted with oldest at bottom, like the announcements. Thats #4. Debatable (but sadly so far only debated between Salvatore and me) is whether to list newer "open (unimportant) issues" on top or at the bottom. Salvatores argues that currently it's easier to see what old issues havent been handled, while my arguing is that new issues should be easier to see, as old ones are probably known already anyway. This is #5 for the team to decide :-) I can fix #1+#2 to make the ordering deterministic, but the team should really decide on #3-5. Are there regular irc meetings where this could happen? Or else, how? cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- Hi, On Dienstag, 16. September 2014, Holger Levsen wrote: > the ordering of the releases (sid, jessie, wheezy...) and issues (open and > resolved CVEs, DSAs, etc) is not consistent in the tracker web ui (and was > undeterministic in parts). > > So what do we have, there are basically two views: [...] > I can fix #1+#2 to make the ordering deterministic, but the team should > really decide on #3-5. Are there regular irc meetings where this could > happen? Or else, how? I now applied and activated a patch which sorts them now in deterministic order, in the way I think is sensible. Please speak up if you think that's not useful. (Next, besides fixing backports support is to add switches to in+exclude suites on demand everywhere.) cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Bug#763074: marked as done (security-tracker: DSA-3037-1 vs. tracker)
Your message dated Sat, 27 Sep 2014 19:37:16 +0200 with message-id <20140927173716.GA29078@eldamar.local> and subject line Re: Bug#763074: security-tracker: DSA-3037-1 vs. tracker has caused the Debian Bug report #763074, regarding security-tracker: DSA-3037-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 763074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763074 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Hi all! I am under the impression that DSA-3037-1 [1] has a typo in the version that fixes CVE-2014-1568 for stable. The correct version number seems [2] to be 24.8.1-1~deb7u1 (even though the changelog seems to have a typo in the CVE number: it's CVE-2014-1568, not CVE-2024-1568!). The tracker reflects the DSA [3]: please fix the tracker data! Thanks for your time (and for the significant improvements that the tracker has recently had!). [1] https://lists.debian.org/debian-security-announce/2014/msg00225.html [2] https://tracker.debian.org/media/packages/i/icedove/changelog-24.8.1-1~deb7u1 [3] https://security-tracker.debian.org/tracker/DSA-3037-1 --- End Message --- --- Begin Message --- Hi Francesco, On Sat, Sep 27, 2014 at 07:13:35PM +0200, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hi all! > > I am under the impression that DSA-3037-1 [1] has a typo in the > version that fixes CVE-2014-1568 for stable. > The correct version number seems [2] to be 24.8.1-1~deb7u1 > (even though the changelog seems to have a typo in the CVE > number: it's CVE-2014-1568, not CVE-2024-1568!). > > The tracker reflects the DSA [3]: please fix the tracker data! > > Thanks for your time (and for the significant improvements > that the tracker has recently had!). Thanks for spotting this! I have corrected the version for the icedove DSA. Regards, Salvatore--- End Message ---
Bug#642987: marked as done (Entries marked as should not be displayed as "fixed" in the web overview)
Your message dated Thu, 25 Sep 2014 09:43:20 +0200 with message-id <201409250943.22087.hol...@layer-acht.org> and subject line end-of-life now visible in security tracker has caused the Debian Bug report #642987, regarding Entries marked as should not be displayed as "fixed" in the web overview to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 642987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642987 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal is used to mark a package as no longer supported in an otherwise supported release. Such entries are currently displayed as "fixed" in the issue overview, e.g.: http://security-tracker.debian.org/tracker/CVE-2010-3908. The web overview should rather show "end-of-life" instead of "fixed". Cheers, Moritz --- End Message --- --- Begin Message --- Hi, subject says it all. cheers, Holger signature.asc Description: This is a digitally signed message part. --- End Message ---
Processed: user www.debian....@packages.debian.org, forcibly merging 762254 751403, usertagging 751403
Processing commands for cont...@bugs.debian.org: > user www.debian@packages.debian.org Setting user to www.debian@packages.debian.org (was taf...@debian.org). > forcemerge 762254 751403 Bug #762254 [www.debian.org] "explain LTS on the www.d.o website" Bug #751403 [www.debian.org] www.debian.org: /News/2014/20140424 missing link how to use squeeze LTS 761945 was blocked by: 762254 762255 761945 was not blocking any bugs. Added blocking bug(s) of 761945: 751403 Merged 751403 762254 > usertags 751403 content Usertags were: content news. Usertags are now: content news. > thanks Stopping processing here. Please contact me if you need assistance. -- 751403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751403 761945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761945 762254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762254 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141158582314426.transcr...@bugs.debian.org
Processed: merge
Processing commands for cont...@bugs.debian.org: > severity 762288 wishlist Bug #762288 [security-tracker] security-tracker: available versions table is unnecessary Severity set to 'wishlist' from 'normal' > merge 761963 762288 Bug #761963 [security-tracker] security-tracker: consolidate vulnerable/fixed per release in overviews Bug #762288 [security-tracker] security-tracker: available versions table is unnecessary Merged 761963 762288 > thanks Stopping processing here. Please contact me if you need assistance. -- 761963: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761963 762288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141142706226717.transcr...@bugs.debian.org
Bug#762069: marked as done (security-tracker does not update NVD information anymore)
Your message dated Mon, 22 Sep 2014 19:14:23 +0200 with message-id <20140922171423.GA26721@eldamar.local> and subject line Re: Bug#762069: security-tracker does not update NVD information anymore has caused the Debian Bug report #762069, regarding security-tracker does not update NVD information anymore to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762069 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: security-tracker Severity: normal Tags: confirmed Hi, I'm looking into this problem, but would like to have documented the problem in the BTS. Currently since we switched to fetch information trough https updates of NVD information for the security-tracker does not work anymore. Makefile contains a update-nvd target, which fetches the nvde-$year information via https: wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name ERROR: The certificate of `nvd.nist.gov' is not trusted. ERROR: The certificate of `nvd.nist.gov' hasn't got a known issuer. Solution: We need (as for example also needed for qa's vcs-watch) our own CA store for the security-tracker which is used on soler. Regards, Salvatore --- End Message --- --- Begin Message --- Hi This is now done by keeping a certificate store for the sectracker user which is the used when fetching the data. Regards, Salvatore--- End Message ---
Processed: Re: Processed (with 5 errors): Re: Bug#761945: security-tracker: link to DLA details from Source field
Processing commands for cont...@bugs.debian.org: > reassign 762254 www.debian.org Bug #762254 [www.debian.org] "explain LTS on the www.d.o website" Ignoring request to reassign bug #762254 to the same package > reassign 762255 www.debian.org Bug #762255 [www.debian.org] "collect DLAs on www.d.o" Ignoring request to reassign bug #762255 to the same package > block 761945 by 762254 Bug #761945 [security-tracker] security-tracker: link to DLA details from Source field 761945 was not blocked by any bugs. 761945 was not blocking any bugs. Added blocking bug(s) of 761945: 762254 > block 761945 by 762255 Bug #761945 [security-tracker] security-tracker: link to DLA details from Source field 761945 was blocked by: 762254 761945 was not blocking any bugs. Added blocking bug(s) of 761945: 762255 > thanks Stopping processing here. Please contact me if you need assistance. -- 761945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761945 762254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762254 762255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762255 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141120629915804.transcr...@bugs.debian.org
Bug#762214: marked as done (security-tracker: sort "Available releases" view correctly)
Your message dated Sat, 20 Sep 2014 09:43:25 +0200
with message-id <20140920074325.GA27769@eldamar.local>
and subject line Re: Bug#762214: security-tracker: sort "Available releases"
view correctly
has caused the Debian Bug report #762214,
regarding security-tracker: sort "Available releases" view correctly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
762214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: security-tracker
severity: minor
Hi,
the attached non-intrusive patch basically rewrites the availableRelease()
function which is only used to create
https://security-tracker.debian.org/tracker/data/releases which currently
is not ordered at all. The patch makes it logically by release, subrelease
and archive.
Shall I push this patch into SVN?
cheers,
Holger, finally finished chasing what he thought was a low hanging
fruit ;)
From f1841ee6be909cd6c8e8c8bf94385edf9637954f Mon Sep 17 00:00:00 2001
From: Holger Levsen
Date: Fri, 19 Sep 2014 17:02:36 +0200
Subject: [PATCH] rewrite DB.availableReleases() to make it possible to sort by
release, subrelease and archive
---
bin/tracker_service.py| 2 ++
lib/python/security_db.py | 49 +++
2 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 4ad08be..4e87dc1 100644
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -1141,6 +1141,8 @@ not unimportant."""),
sources = 'yes'
else:
sources = 'no'
+if 'source' in archs:
+archs.remove('source')
yield rel, subrel, archive, sources, make_list(archs)
return self.create_page(
url, "Available releases",
diff --git a/lib/python/security_db.py b/lib/python/security_db.py
index 4917b46..1abfb8a 100644
--- a/lib/python/security_db.py
+++ b/lib/python/security_db.py
@@ -440,6 +440,14 @@ class DB:
return -1
self.db.createscalarfunction("subrelease_to_number", subrelease_to_number, 1)
+archives = ['main', 'contrib', 'non-free']
+def archive_to_number(u):
+try:
+return archives.index(u)
+except ValueError:
+return -1
+self.db.createscalarfunction("archive_to_number", archive_to_number, 1)
+
def release_name(release, subrelease, archive):
if archive <> 'main':
release = release + '/' + archive
@@ -451,6 +459,10 @@ class DB:
self.db.createcollation("version", debian_support.version_compare)
+def source_arch():
+return "source"
+self.db.createscalarfunction("source_arch", source_arch, 0)
+
def filePrint(self, filename):
"""Returns a fingerprint string for filename."""
@@ -860,24 +872,27 @@ class DB:
if cursor is None:
cursor = self.cursor()
-releases = {}
-for r in cursor.execute(
-"""SELECT DISTINCT release, subrelease, archive
-FROM source_packages"""):
-releases[r] = (True, [])
-
-for (rel, subrel, archive, archs) in cursor.execute(
-"""SELECT DISTINCT release, subrelease, archive, archs
-FROM binary_packages"""):
-key = (rel, subrel, archive)
-if not releases.has_key(key):
-releases[key] = (False, [])
-releases[key][1][:] = mergeLists(releases[key][1], archs)
-
result = []
-for ((rel, subrel, archive), (sources, archs)) in releases.items():
-result.append((rel, subrel, archive, sources, archs))
-result.sort()
+result.append(('', '', '', False, []))
+for (rel, subrel, archive, archs) in cursor.execute(
+"""SELECT * FROM
+(SELECT DISTINCT release, subrelease, archive, archs
+FROM binary_packages
+UNION SELECT DISTINCT release, subrelease, archive, source_arch() as archs
+FROM source_packages)
+ORDER BY release_to_number(release), subrelease_to_number(subrelease), arc
Processed (with 5 errors): Re: Bug#761945: security-tracker: link to DLA details from Source field
Processing commands for cont...@bugs.debian.org: > clone 761945 -1 -2 Bug #761945 [security-tracker] security-tracker: link to DLA details from Source field Bug 761945 cloned as bugs 762254-762255 > reassign -1 debian-www Bug #762254 [security-tracker] security-tracker: link to DLA details from Source field Bug reassigned from package 'security-tracker' to 'debian-www'. Warning: Unknown package 'debian-www' Warning: Unknown package 'debian-www' Ignoring request to alter found versions of bug #762254 to the same values previously set Warning: Unknown package 'debian-www' Warning: Unknown package 'debian-www' Ignoring request to alter fixed versions of bug #762254 to the same values previously set Warning: Unknown package 'debian-www' > reassign -2 debian-www Bug #762255 [security-tracker] security-tracker: link to DLA details from Source field Bug reassigned from package 'security-tracker' to 'debian-www'. Warning: Unknown package 'debian-www' Warning: Unknown package 'debian-www' Ignoring request to alter found versions of bug #762255 to the same values previously set Warning: Unknown package 'debian-www' Warning: Unknown package 'debian-www' Ignoring request to alter fixed versions of bug #762255 to the same values previously set Warning: Unknown package 'debian-www' > retitle -1 "explain LTS on the www.d.o website" Bug #762254 [debian-www] security-tracker: link to DLA details from Source field Warning: Unknown package 'debian-www' Changed Bug title to '"explain LTS on the www.d.o website"' from 'security-tracker: link to DLA details from Source field' Warning: Unknown package 'debian-www' > retitle -2 "collect DLAs on www.d.o" Bug #762255 [debian-www] security-tracker: link to DLA details from Source field Warning: Unknown package 'debian-www' Changed Bug title to '"collect DLAs on www.d.o"' from 'security-tracker: link to DLA details from Source field' Warning: Unknown package 'debian-www' > block 761945 -1 Unknown command or malformed arguments to command. > block 761945 -2 Unknown command or malformed arguments to command. > Hi Paul, Unknown command or malformed arguments to command. > thanks for your bug report! Unknown command or malformed arguments to command. > On Mittwoch, 17. September 2014, Paul Wise wrote: Unknown command or malformed arguments to command. Too many unknown commands, stopping here. Please contact me if you need assistance. -- 761945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761945 762254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762254 762255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762255 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141119638426599.transcr...@bugs.debian.org
