Re: Conflicting Information on CVE-2008-3699 Page
* Moritz Muehlenhoff: >> The CVE-2008-3230 page seems to have the same problem. What would >> need to be done to fix this? I may have some time to look at the code >> and make it work better -- if someone can tell me where to start. Is >> the code that generates these pages contained in the secure-testing >> package? > > Thanks for the offer. I believe the addition of a new state similar to > (e.g. ) might be the best solution. We currently have at least: NOT-FOR-US unimportant That's already too much choice, and it's really difficult to derive clear semantics for all parts of the web page and the debsecan data from that. One thing that might work (but still requires code changes) is to use "unimportant" only if there's a "fixed" version, and if there isn't. On top of that, we currently use and "unimportant" for several, unrelated purposes: - vulnerabilities not shipped in binary packages (only in the source) - vulnerabilities on non-Debian platforms - vulnerabilities in not-yet-uploaded versions - non-vulnerabilities (design trade-off, bogus reports) - vulnerabilities outside security support (browser crash, PHP safe mode issues) There might be more stuff I've missed. It's not quite clear to me how to reorganize all this. might be one approach, but maybe this should be a per-CVE attribute like REJECTED. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Conflicting Information on CVE-2008-3699 Page
On Fri, Oct 24, 2008 at 12:13:10AM -0400, Michael Gilbert wrote: > >> The tracker page [1] for CVE-2008-3699 says "Debian/stable not known > >> to be vulnerable", yet in the next section it says that "etch 1.4.4-4 > >> vulnerable". These two statements contradict one another, and lead one > >> clueless as to whether the issue has been fixed or not in stable. The > >> tracker should be updated with correct information. > > > > In this case the issue is marked as a "non-issue", the rationale is at the > > bottom of the page. That makes the top part say that we're not affected. > > The vulnerability indications below are not that meaningful for > > non-issues. > > > > We could see if we can improve the presentation of items marked as a > > non-issue. > > The CVE-2008-3230 page seems to have the same problem. What would > need to be done to fix this? I may have some time to look at the code > and make it work better -- if someone can tell me where to start. Is > the code that generates these pages contained in the secure-testing > package? Thanks for the offer. I believe the addition of a new state similar to (e.g. ) might be the best solution. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Conflicting Information on CVE-2008-3699 Page
On Friday 24 October 2008 06:13, Michael Gilbert wrote: > The CVE-2008-3230 page seems to have the same problem. What would > need to be done to fix this? I may have some time to look at the code > and make it work better -- if someone can tell me where to start. Is > the code that generates these pages contained in the secure-testing > package? It can be found in the securte-testing repository: svn+ssh://svn.debian.org/svn/secure-testing under bin/tracker_service.py Thijs pgpnPOTMHUmwa.pgp Description: PGP signature
Re: Conflicting Information on CVE-2008-3699 Page
>> The tracker page [1] for CVE-2008-3699 says "Debian/stable not known >> to be vulnerable", yet in the next section it says that "etch 1.4.4-4 >> vulnerable". These two statements contradict one another, and lead one >> clueless as to whether the issue has been fixed or not in stable. The >> tracker should be updated with correct information. > > In this case the issue is marked as a "non-issue", the rationale is at the > bottom of the page. That makes the top part say that we're not affected. > The vulnerability indications below are not that meaningful for > non-issues. > > We could see if we can improve the presentation of items marked as a > non-issue. The CVE-2008-3230 page seems to have the same problem. What would need to be done to fix this? I may have some time to look at the code and make it work better -- if someone can tell me where to start. Is the code that generates these pages contained in the secure-testing package? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Conflicting Information on CVE-2008-3699 Page
On Wed, October 22, 2008 23:59, Michael Gilbert wrote: > The tracker page [1] for CVE-2008-3699 says "Debian/stable not known > to be vulnerable", yet in the next section it says that "etch 1.4.4-4 > vulnerable". These two statements contradict one another, and lead one > clueless as to whether the issue has been fixed or not in stable. The > tracker should be updated with correct information. In this case the issue is marked as a "non-issue", the rationale is at the bottom of the page. That makes the top part say that we're not affected. The vulnerability indications below are not that meaningful for non-issues. We could see if we can improve the presentation of items marked as a non-issue. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]