Re: Nginx is vulnerable CVE-2024-39792

On Thu, Aug 15, 2024 at 01:29:32PM +0200, Micha vor dem Berge wrote: > See > CVE-2024-39792 > and > https://github.com/advisories/GHSA-j72m-4pgw-w3qv That's for Nginx Plus, Debian ships the open source Nginx releases. Cheers, Moritz

Bug#1073012: Automatically rewrite incoming entries from some CNAs as NFUs

Package: security-tracker Severity: wishlist These days the scopes of CNAs are usually narrow and scoped to a specific vendor. We should leverage this for pre-processing incoming data and to reduce toil. We can do this by extending the "automatic update" job to automatically annotate CVEs assig

Re: bullseye (security) represents old version on security-tracker.d.o

Hi Kentaro, > I've found a bit strange status about some tracked issue > on security-tracker.debian.org. > > 1. CVE-2023-36054 krb5 > https://security-tracker.debian.org/tracker/CVE-2023-36054 > > it shows like: > > bullseye 1.18.3-6+deb11u4 fixed > bullseye (security) 1.18.3-6+deb11u3 vuln

Bug#1039606: Don't display unimportant issues as "vulnerable"

Package: security-tracker Severity: wishlist "unimportant" issues don't have security impact, but currently they get shown as "vulnerable" in red, both in a package overview page, e.g. https://security-tracker.debian.org/tracker/source-package/c-ares and CVE-specific pages, e.g. https://security-

Re: Any updates on CVE-2018-1000021

Hi Leoš, On Fri, May 05, 2023 at 01:48:29PM +, Leoš Sokolowski wrote: > Hi, > > I'd like to ask if there's any update on the git-vulnerability > CVE-2018-12. According to the description on both the tracker and the NVD > it has been fixed since Version 2.15.1, but the security trackers

Re: Debian publishing vulnerability information in OSV format

On Tue, Nov 08, 2022 at 08:29:03PM -0800, Andrew Pollock wrote: 0;115;0c> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hello, > > Would Debian be interested in being the first Linux distribution to publish > vulnerability advisories in the OSV format[1]? > > I’m working on osv.dev[2] in

Re: Downloading All Debian Bug Report Logs

On Mon, Jan 31, 2022 at 01:12:28PM +, yahyakose wrote: > Hi, > > I want to download all "Debian Bug report logs" like below page: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986537 > > Is there any place to download this pages? Or is there any place that I can > get all bug IDs to

Bug#992115: Stop using the NVD severity

Package: security-tracker Severity: normal We should stop using/displaying the NVD severity in the Security Tracker. Anyone is free to look up whatever external data source they want, but we should not give NVD legitimacy by showing in the Security Tracker.

Bug#989065: Show packages from next-point-release.txt in source package overview

Package: security-tracker Severity: wishlist https://security-tracker.debian.org/tracker/source-package/foo shows CVEs tagged as "vulnerable (no DSA)". If there's an update pending (i.e. if a CVE is listed in data/next-point-release.txt) it could instead be presented as "pending for next point re

Bug#987283: Filter list for "unreported" view

Package: security-tracker Severity: wishlist https://security-tracker.debian.org/tracker/status/unreported should gain a filter list, since there are some packages for which filing bugs makes no sense (e.g. the linux kernel, which is tracked without filed bugs in the BTS or various legacy Nvidia p

Re: About CVE-2017-10965

On Tue, Sep 01, 2020 at 11:57:08AM +, Teppei Fukuda wrote: > Hi Moritz, > > Thank you for the quick reply. I also found more gaps than this case. Do you > have a plan to compare OVAL and Security Tracker and fill gaps? Or, if Debian > Security Tracker is always correct, should we use the fol

Re: About CVE-2017-10965

On Tue, Sep 01, 2020 at 04:51:43AM +, Teppei Fukuda wrote: > Hi Debian Security Team, > > Thank you for providing the great tracker system. I have a question. When it > comes to CVE-2017-10965, the following page says 1.0.2-1+deb9u2 is the fixed > version on stretch. > https://security-track

Re: About CVE-2017-1000082

Hi Teppei, On Fri, Jun 26, 2020 at 01:09:40PM +, Teppei Fukuda wrote: > Hi Debian Security Team, > > Thank you for providing the great tracker system. I have a question. When it > comes to CVE-2017-182, jessie says "fixed". > https://security-tracker.debian.org/tracker/CVE-2017-182 >

Re: Old open CVEs in webkit2gtk

On Sat, Sep 07, 2019 at 09:43:03PM +0200, Alberto Garcia wrote: > On Sat, Sep 07, 2019 at 09:33:20PM +0200, Salvatore Bonaccorso wrote: > > > Thanks. Could you as well triage the recent CVEs which are fixed in > > DSA-4515-1 for unstable? Which is the first unstable version having > > the fix? >

Bug#908678: Update on the security-tracker git discussion

On Tue, Jul 02, 2019 at 01:25:43PM +0200, Salvatore Bonaccorso wrote: > p.s.: Question is if we should do a split as well for the other types of > files which are supported (DSA, TDSA, ...) while at it. We can axe out DTSA/* while we're at it. For DSA/list (and DLA/list) we can initially ke

Bug#908678: Testing the filter-branch scripts

On Wed, Nov 14, 2018 at 07:34:03AM +0100, Daniel Lange wrote: > Am 13.11.18 um 23:09 schrieb Moritz Muehlenhoff: > > The current data structure works very well for us and splitting the files > > has many downsides. > > Could you detail what those many downsides are besides th

Bug#908678: Testing the filter-branch scripts

On Tue, Nov 13, 2018 at 12:22:54PM -0500, Antoine Beaupré wrote: > But before going through that trouble, I think we'd need to get approval > from the security team first, as that's quite a lot of work. I figured > we would make a feasability study first... The current data structure works very w

Re: DLA link is broken

On Wed, Nov 07, 2018 at 03:38:57PM +0900, Hideki Yamane wrote: > On Tue, 6 Nov 2018 07:45:24 +0100 > Salvatore Bonaccorso wrote: > > Cf. #762255 and related bugs which added support for having the DLA's > > included both in security-tracker source field and on the website. > > Though this needs vo

Re: Dealing with renamed source packages during CVE triaging

On Fri, Jun 15, 2018 at 04:34:14PM +1000, Brian May wrote: > Moritz Muehlenhoff writes: > > > On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote: > >> "as I said in the mailing list discussion, I don't like the usage of the > >> undetermined

Re: Dealing with renamed source packages during CVE triaging

On Fri, Jun 15, 2018 at 05:21:55PM +1000, Brian May wrote: > Brian May writes: > > > So we could write a script, lets say: > > bin/list-potential-packages-affected-by-code-copies > > In investigating the possibility of this, I noticed the scripts in > lib/python/sectracker use legacy python codi

Re: Dealing with renamed source packages during CVE triaging

On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote: > "as I said in the mailing list discussion, I don't like the usage of the > undetermined tag... we use it to hide stuff we can't investigate under > the carpet, I would much prefer that we put it as directly > when it's the case, or othe

Re: Dealing with renamed source packages during CVE triaging

On Tue, Jun 12, 2018 at 05:40:34PM +1000, Brian May wrote: > 1. Tagging with / instead of . Nothing of those can automated. The basic point of is that we lack data to make a proper assessment. The correct way to handle these is to triage https://security-tracker.debian.org/tracker/status/undete

Re: [PATCH 0/8] Cleanup D*A ist formating

Philipp Hahn wrote: > for my project I need the information which CVE is fixed by which Debian > package. I do that by reading the DSA list. I tried lib/python/bugs.py > first, but at the end wrote my own parser based on some simple regular > expressions. > While doing that I noticed that the lists

Re: New embeeded copy

On Sat, Nov 19, 2016 at 06:43:22PM +0100, Martin Quinson wrote: > Hello, > > I am finishing the update to the widelands packaging, and upstream > decided to change there lua version again. They picked lua-eris, a > fork of lua5.3 intended to help persistency. > > I considered packaging this fork

Re: wrong information on tracker page.

On Thu, Sep 22, 2016 at 03:02:40PM +1200, Alex King wrote: > https://security-tracker.debian.org/tracker/CVE-2016-6662 > > This page lists mariadb-10.0 as fixed in jessie but still vulnerable > in jessie (security) > > That seems the wrong way around to me? No, that's correct. The fixed version

Re: Sub-release information on per-source-package page

Hi, Salvatore Bonaccorso wrote: > One one side we loose though some accuracy/detail view if we don't > have it since there are fixed we release through security which are > not (yet) included into a (old)stable point release (e.g. openjdk-7). But the tracking of those broken updates can still be

Re: Sub-release information on per-source-package page

On Sun, May 24, 2015 at 06:08:40PM +0200, Florian Weimer wrote: > Salvatore pointed me to the long-standing bug which causes the > per-source-package pages such as > > > > not to display fixes which have not yet migrated to the

Bug#769128: security-tracker: Extra-Source-Only source packages need to be filtered out

Package: security-tracker Severity: normal The security tracker currently displays some packages, e.g. kfreebsd-8 or src:eglibc which are not actually in jessie/sid. Packages having Extra-Source-Only: yes in the Sources file need to be filtered out. See #759356 and #699268 for more information.

Bug#642987: another example for an end-of-life

On Thu, Sep 11, 2014 at 06:36:33PM +0200, Holger Levsen wrote: > Hi, > > On Donnerstag, 11. September 2014, Moritz Muehlenhoff wrote: > > Mediawiki in squeeze, e.g. > > https://security-tracker.debian.org/tracker/source-package/mediawikim looks > good to me, only tw

Bug#642987: another example for an end-of-life

On Thu, Sep 11, 2014 at 02:52:20PM +0200, Holger Levsen wrote: > Hi Moritz, > > can you please give another example for an issue we don't care about because > the package' support has reached end-of-life? Mediawiki in squeeze, e.g. > CVE-2010-3908 had been fixed > after all, despite being uns

Bug#761061: tracker doesnt show closed issues as done

On Wed, Sep 10, 2014 at 08:56:48PM +0200, Yves-Alexis Perez wrote: > On mer., 2014-09-10 at 19:50 +0200, Moritz Muehlenhoff wrote: > > On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: > > > Hi Salvatore, > > > > > > On Mittwoch, 10. Septem

Bug#761061: tracker doesnt show closed issues as done

On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: > Hi Salvatore, > > On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: > > The tabular view clearly would need some improvement and making clear > > where the fix is already, e.g. wheezy-security but not yet wheezy. I > > try

Fake commit mail for security tracker

SVN is up again, but the commit bot fails with Warnung: post-commit hook failed (exit code 1) with output: /usr/share/subversion/hook-scripts/commit-email.pl: error in closing `/usr/sbin/sendmail -f'jmm' secure-testing-comm...@lists.alioth.debian.org' for writing: svn: No repository found in 's

Re: CVE-2010-3205 affects textpattern package

On Mon, May 20, 2013 at 02:58:40PM +0100, Steven Chamberlain wrote: > Hi, > > CVE-2010-3205 in the Textpattern CMS was marked 'NOT-FOR-US', but > there is a package of the affected version 4.2.0 in oldstable: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3205 > > The patch tracker and

Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774

On Fri, Jan 04, 2013 at 07:04:47AM +0100, Reinhard Tartler wrote: > On Fri, Jan 4, 2013 at 12:19 AM, Reinhard Tartler wrote: > > --- > > CVE/list |4 > > 1 file changed, 4 insertions(+) > > > > diff --git a/CVE/list b/CVE/list > > index 44dabb2..106a5c4 100644 > > --- a/CVE/list > > +++

Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774

On Fri, Jan 04, 2013 at 12:19:16AM +0100, Reinhard Tartler wrote: > --- > CVE/list |4 > 1 file changed, 4 insertions(+) Thanks, commited. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Con

Re: [PATCH 2/4] issues CVE-2012-5359 CVE-2012-5360 and CVE-2012-5361 are pretty unclear

On Fri, Jan 04, 2013 at 12:19:15AM +0100, Reinhard Tartler wrote: > upstream is aware and unable to do anyhthing about it with the available > information > --- > CVE/list |9 ++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/CVE/list b/CVE/list > index 0a15cef..44d

Re: [PATCH 1/4] update and comment on CVE-2012-2804

On Fri, Jan 04, 2013 at 12:19:14AM +0100, Reinhard Tartler wrote: > --- Commited with slight modifications. > + TODO: upstream needs a proper sample to reproduce the issue Didn't you receive the reproducer from the Google guy? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-sec

Re: Comments on current open Libav issues

On Fri, Jan 04, 2013 at 12:19:13AM +0100, Reinhard Tartler wrote: > Dear Security Tracker team, > > I've reviewed all open issues in the security tracker for libav, and > commented on each of them. Please find my changes to the CVE/list file > as replies to this thread. Thanks. I'll review later.

Re: Crazy idea: tracking non-issues

On Mon, Aug 27, 2012 at 06:09:39PM -0400, Michael Gilbert wrote: > So, every now and then someone publishes an outrageous claim that's > obviously just wrong to anyone with a high-level of technical > knowledge. However, for those with a low to moderate knowledge level, > such things can seem scar

Re: Weekly external check

On Tue, May 22, 2012 at 06:42:04AM +, Raphael Geissert wrote: > CVE-2011-3102: TODO: check > CVE-2012-2130: RESERVED > CVE-2012-2373: RESERVED > CVE-2012-2374: RESERVED > CVE-2012-2375: RESERVED > CVE-2012-2625: RESERVED > -- > The output might be a bit terse, but the above ids are known el

Re: php5: many of the "open unimportant issues" would seem to be fixed?

On Mon, Apr 23, 2012 at 01:44:58PM +0100, Chris Butler wrote: > Hi, > > Having a quick look at the security tracker for PHP5, it looks to me like a > number of the older "Open unimportant issues" are no longer a problem with > the latest version in Squeeze (5.3.3-7), since a lot of them seem to ha

Re: CVE-2011-4356: Affects celery only, not django-celery

On Tue, Jan 03, 2012 at 08:29:23AM +0200, Faidon Liambotis wrote: > Hi, > > On Mon, Jan 02, 2012 at 07:39:16PM +0100, Moritz Mühlenhoff wrote: > > Michael Gilbert already fixed the django-celery entry. We'll record > > 2.4.6 as the fixed version once it has been uploaded. > > 2.4.6-1 was just upl

Re: CVE-2011-3188

On Wed, Oct 19, 2011 at 03:12:56PM +0200, Laurent Bonnaud wrote: > Hi, > > I am looking at this page: > > http://security-tracker.debian.org/tracker/CVE-2011-3188 > > The security status is given for 2.6.x kernels but not for 3.x kernels. > Could somebody please add this ? Fixed. Cheers,

Bug#642987: Entries marked as should not be displayed as "fixed" in the web overview

Package: security-tracker Severity: normal is used to mark a package as no longer supported in an otherwise supported release. Such entries are currently displayed as "fixed" in the issue overview, e.g.: http://security-tracker.debian.org/tracker/CVE-2010-3908. The web overview should rather s

Re: Getting started

On Thu, Jul 21, 2011 at 04:26:57PM -0700, Johnathan Ritzi wrote: > Hello, > > I'd like to help out with the Tracker (in whatever minor ways I can), so I > created an Alioth account and requested to be added to the project. I've > read the Introduction document and understand the general idea, but

Re: mailscanner: lock/pid file location symlink attack / TEMP-0000000-477739

On Fri, Feb 25, 2011 at 05:54:42AM +0200, he...@nerv.fi wrote: > I think a CVE ID for mailscanner issue "lock/pid file location symlink > attack" is CVE-2008-5313. > > References: > 1: http://security-tracker.debian.org/tracker/TEMP-000-477739 > 2: http://web.nvd.nist.gov/view/vuln/detail?vul

Re: clamav htmlnorm DoS / TEMP-0000000-20B67B

On Fri, Feb 25, 2011 at 05:07:19AM +0200, he...@nerv.fi wrote: > Is clamav htmlnorm DoS / TEMP-000-20B67B[1] same as CVE-2007-4510[2]? > > 1: http://security-tracker.debian.org/tracker/TEMP-000-20B67B > 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510 Thanks, I've updated th

Bug#608994: Not all DSAs are displayed in the package overview page

Package: security-tracker Severity: normal The package page doesn't list all DSAs, e.g. http://security-tracker.debian.org/tracker/source-package/krb5 All the pre-Lenny DSAs are missing, like DSA-1524 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.de

Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities

Michael Gilbert wrote: > On Tue, Dec 21, 2010 at 12:34 PM, Moritz Muehlenhoff wrote: > > Upgrade instructions > > - > > > > If you are using the apt-get package manager, use the line for > > sources.list as given below: > > For futur

Re: vlc Windows-only security bug

On Mon, Nov 15, 2010 at 03:28:01PM +0100, Benjamin Drung wrote: > Hi, > > There is one security bug filed against vlc that affects only Windows > [1]. How do I get this bug removed from the list? > > http://security-tracker.debian.org/tracker/TEMP-0595686-002518 Thanks for getting in touch. I've

Re: CVE-2010-2478, CVE-2010-2537: fixed in linux-2.6 2.6.32-19

On Thu, Sep 02, 2010 at 12:01:50AM +0900, Hideki Yamane wrote: > Hi, > > Due to kernel-sec repository, those two CVEs are fixed. > http://svn.debian.org/wsvn/kernel-sec/retired/CVE-2010-2478 > http://svn.debian.org/wsvn/kernel-sec/retired/CVE-2010-2537 > > and debian/patches/bugfix/all/stable

Re: DSA-2022-1 / CVE-identifiers

On Wed, Jul 28, 2010 at 05:51:50PM +0300, Henri Salo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Issue DSA-2022-1 got CVE-identifiers: > > CVE-2010-1189: > a CSS validation issue was discovered which allows editors to display > external images in wiki pages. > > CVE-2010-119

Re: Quesoglc embedded glew/fribidi copies fixed

On Sun, Jun 06, 2010 at 11:00:10AM +0100, Bradley Smith wrote: > Hi, > > Quesoglc is listed in embedded-code-copies as embedding fribidi and > glew. Since version 0.7.2-2, quesoglc no longer builds and links against > the embedded glew copy, and since 0.7.2-3, it removes the sources for both > gle

Re: [Secure-testing-commits] r11636 - data/CVE

Michael Gilbert wrote: > On Wed, Apr 29, 2009 at 3:21 PM, Kees Cook wrote: > > The sync of NFUs seems to be generally accepted, so we'll continue to do > > that.  Should we continue to attempt to open entries for stuff > > that is not yet listed in the Debian tracker? > > note this is in response

Re: A new ambiguity

On Sun, May 09, 2010 at 08:05:45PM +0200, Florian Weimer wrote: > I have found what appears to be a previously unknown ambiguity in the > tracker input data. Consider these two DSAs: > > There is a certain amount of repetition involved. Another approach, > also involving repetition, would be to

Re: Refactoring the tracker

On Tue, May 04, 2010 at 08:34:38PM +0200, Florian Weimer wrote: > I've decided that it's necessary to clean up the mishmash between SQL > and Python in the tracker code base. As I've mentioned before, there > are three or four different ways for deciding if a vulnerability is > fixed in a particul

Re: Wrong fixed version for cairo and CVE-2009-2044?

Gerfried Fuchs wrote: > Actually makes me wonder: Did upstream not provide informations in > which of their release they fixed the issue? No, they did not. This security issue was reported/fixed for Firefox by Mozilla in their internal cairo copy: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Re: Some CVE updates

On Wed, Apr 14, 2010 at 12:27:49AM +0200, Mike Hommey wrote: > Hi, > > I went through the CVE list on the security tracker, and noted 2 CVEs > marked as vulnerable in testing/unstable while it is not the case: > - CVE-2009-4630 was fixed during the gecko 1.9.1 development cycle, and > as such wa

Re: Should security tracker and PTS track terminated oldstable security issue as open?

On Wed, Apr 14, 2010 at 07:02:05PM +0900, Hideki Yamane wrote: > Hi, > > Should security tracker and PTS track terminated oldstable security issue > as open? > > For exapmle, http://security-tracker.debian.org/tracker/CVE-2007-5935 > only affects to etch, however it and PTS says that is "open

Re: moin TEMP issues

On Thu, Mar 11, 2010 at 10:23:32AM +0100, Gerfried Fuchs wrote: > Hi! > > Taking a look at the TEMP issues of moin: > > TEMP-000-001638 - this looks like being CVE-2010-0667 > > TEMP-0569975-001302 - I get a feeling like this is either CVE-2010-0668 > or CVE-2010-0669 (or both of th

Re: CVE-2010-0286 and affected versions

On Thu, Feb 25, 2010 at 10:40:35PM +0100, Florian Weimer wrote: > * Holger Levsen: > > > why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists > > 4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is > > not in Debian anywhere anymore... > > We somehow

Re: Proposed refactoring of the per-release tracker pages

Michael Gilbert wrote: > On Sat, 9 Jan 2010 23:34:26 -0500 Michael Gilbert wrote: > > > On Thu, 7 Jan 2010 23:02:59 -0500 Michael Gilbert wrote: > > > > > Hi all, > > > > > > In order to address some usability, clutter, and transparancy issues > > > with the tracker, I propose to make the follow

Re: mantis: doubt about fixing bug

On Sun, Jan 10, 2010 at 05:34:41PM +0100, sils wrote: > Hi team, > > I'm the new maintainer of debian mantis package, so I'm reviewing all > pending bugs, and I found out a problem with these bugs: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555264 > http://bugs.debian.org/cgi-bin/bugrep

Re: Update for WebAuth (CVE-2009-2945)

Hi, > The security tracker shows CVE-2009-2945 as unfixed, but this was fixed in > 3.6.2-1 for unstable/testing (and is mentioned in the changelog). It > didn't warrant a DSA, so the fix for stable went through > stable-proposed-updates, but it's there as 3.6.0-1+lenny1 for the next > stable rele

Re: Proposed refactoring of the per-release tracker pages

On Mon, Jan 11, 2010 at 11:59:32AM -0500, Michael Gilbert wrote: > On Sun, 10 Jan 2010 14:52:11 +0100, Moritz Muehlenhoff wrote: > > Michael Gilbert wrote: > > > > > > As said before the severity is irrelevant, hardly to classify and only > > > > used fo

Re: KVIrc: Debian Etch (oldstable) not affected by CVE-2008-4748

Kai Wasserbäch wrote: > [Please CC me, when replying. CCing Raúl and Mark, please keep them in the > loop > too.] > > Dear Moritz, > Moritz Muehlenhoff schrieb am 10.01.2010 19:31: > > Thanks, I've updated the entry in the Security Tracker. > > AFAICS CVE-200

Re: KVIrc: Debian Etch (oldstable) not affected by CVE-2008-4748

On Sun, Jan 10, 2010 at 05:50:56PM +0100, Kai Wasserbäch wrote: > [Please CC me, when replying. CCing Raúl and Mark, please keep them in the > loop > too.] > > Dear Security Team members, > I investigated the security tracker item for CVE-2008-4748 [0]. As it turns > out, > this is also [1] a Wi

Re: Proposed refactoring of the per-release tracker pages

Michael Gilbert wrote: > > As said before the severity is irrelevant, hardly to classify and only > > used for some priorisation. They should not be mandatory. > > I personally think that urgency does have relevance, which I've > mentioned a few times before [0],[1],[2]. In particular, it is ver

Re: Proposed refactoring of the per-release tracker pages

Michael Gilbert wrote: > In order to address some usability, clutter, and transparancy issues > with the tracker, I propose to make the following changes: > > 1. By default, the per-release pages (e.g. [0]) will only show low, > medium, and high urgencies. Plus issues where no severity is set. B

Re: Tracker web service changes

On Thu, Jan 07, 2010 at 06:12:57PM -0500, Michael Gilbert wrote: > On Thu, 07 Jan 2010 14:56:07 -0600 Raphael Geissert wrote: > > > Hi everyone, > > > > I've been thinking about adding a link to RedHat's bugzilla next to the NVD > > link on the web service. Since we share a fair amount of package

Re: Documentation for the new tag

On Sun, Jan 03, 2010 at 07:07:11PM -0500, Michael Gilbert wrote: > On Sun, 3 Jan 2010 18:35:15 -0500 Michael Gilbert wrote: > > Any questions or feedback, please let me know. > > I forgot to mention that some issues are still being resolved, and > while it is technically valid to use the new tag,

Re: CVE-2009-4007

On Tue, Jan 05, 2010 at 08:15:08AM +0100, Rubidium wrote: > Hi, > > I am looking at this security issue: > http://security-tracker.debian.org/tracker/CVE-2009-4007 > where the sid version of the alpha architecture is said to be 0.7.3-1. > > According to http://qa.debian.org/madison.php?package=o

dtoa embeddings

Hi, please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518927 If someone has time, please check the packages mentioned there and add it to embedded-code-copies. There might be yet undiscovered ocurrances of CVE-2009-0689. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-secur

Re: CVE-2009-1284

Michael Gilbert wrote: > On Fri, 20 Nov 2009 03:06:50 +0100 Norbert Preining wrote: > > > On Do, 19 Nov 2009, Raphael Geissert wrote: > > > The bug submitter was not somebody from the team and apparently nobody > > > noticed it was fixed already, thanks for notifying. The tracker is > > > manuall

Bug#555164: New tracker status:

Package: security-tracker Severity: wishlist We should create a new status in the Security Tracker to track issues, which are unsupported for a specific suite. In the package overview it should be handled equivalently to "fixed". Right now, the xulrunner status page is mostly useless, since the un

Re: CVE-2009-3725

On Sun, Nov 08, 2009 at 10:46:15AM +0100, Laurent Bonnaud wrote: > Hi, > > I am looking at this security issue: > > http://security-tracker.debian.org/tracker/CVE-2009-3725 > > where the sid version is marked as vulnerable. > > According to the description, it should be fixed in linux 2.6.31.5

Re: binnmu's are untrackable

On Fri, Oct 30, 2009 at 02:05:50PM -0400, Michael Gilbert wrote: > On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote: > > hi all, > > > > it looks like we can't appropriately mark issues that are addressed via > > binnmu's in the tracker. see [0] where advi source is 1.6.0-14 and the > >

Re: CVE-2009-2140

On Sat, Oct 24, 2009 at 12:20:54PM +0200, Laurent Bonnaud wrote: > Hi, > > I am looking at this security issue: > > http://security-tracker.debian.org/tracker/CVE-2009-2140 > > and all Debian packages are marked as vulnerable whereas versions 3.0.1 > and above should be fixed. Could somebody

Re: Incorrect information in security tracker regarding the mahara package

Francois Marier wrote: > (please CC me on replies, I'm not on this list) > > Hi, > > I just want to report that this issue: > > http://security-tracker.debian.org/tracker/CVE-2009-2171 > > does not apply to the 1.0 series of Mahara, as mentioned on the upstream > advisory: > > http://mahar

Re: faster tracker data processing

On Wed, Sep 30, 2009 at 11:49:54PM -0500, Raphael Geissert wrote: > Hi, > > I haven't had much time lately to actively audit and fix vulnerabilities, > but I usually take a look at the commits and there are times I see that a > new CVE id was assigned to some app shipped on Debian. > > What is th

Re: [Secure-testing-commits] r12552 - data/CVE

On Mon, Aug 10, 2009 at 08:24:10PM +0200, Nico Golde wrote: > Hi, > * Michael S. Gilbert [2009-08-10 20:18]: > > On Mon, 10 Aug 2009 18:09:16 +, Nico Golde wrote: > [...] > > > -CVE-2009-2414 > > > +CVE-2009-2414 [libxml2 stack recursion] > > > RESERVED > > > + - libxml2 (medium; bug #5408

Bug#529788: Display all bugs, which don't have a bug filed

>> This makes it easier to find the bugs which still need to be >> triaged (even it only means to file a bug and ask the maintainer >> to investigate) or find existing bugs which need to added to the >> tracker data. > > Another interesting view would be all open BTS bugs with tag security > that

Bug#529788: Display all bugs, which don't have a bug filed

Package: security-tracker Severity: wishlist The web interface of the security tracker should get a new view which displays all bugs marked as unfixed which don't have a bug associated. This makes it easier to find the bugs which still need to be triaged (even it only means to file a bug and ask

Re: unsupported packages

On Mon, Apr 20, 2009 at 10:11:36PM +0200, Nico Golde wrote: > Hi, > I just added vmware-package to the package-tags file to > reflect that we can't provide security support for this > package (Cced maintainers to inform them of this). > > The vmware-package comes with a script that uses an upstr

Re: [Secure-testing-commits] r11636 - data/CVE

Kees Cook wrote: > On Fri, Apr 17, 2009 at 09:48:47AM -0400, Michael S. Gilbert wrote: > > i have one request to improve the process: please submit a 'NOTE' with > > a link to the ubuntu patch whenever you issue a fix that hasn't been > > issued by debian yet. this will help to increase the debia

Re: spu-candidates / opsu-candidates

On Wed, Mar 11, 2009 at 02:22:58AM +0100, Nico Golde wrote: > Hi, > * Moritz Muehlenhoff [2009-03-11 01:57]: > > On Tue, Mar 10, 2009 at 01:58:04PM +, n...@alioth.debian.org wrote: > > > Author: nion > > > Date: 2009-03-10 13:58:03 + (Tue, 10 Mar 2

spu-candidates / opsu-candidates

On Tue, Mar 10, 2009 at 01:58:04PM +, n...@alioth.debian.org wrote: > Author: nion > Date: 2009-03-10 13:58:03 + (Tue, 10 Mar 2009) > New Revision: 11367 > > Modified: >data/CVE/list >data/spu-candidates.txt > Log: > - spu notifications We should likely re-organise to ospu-candid

Re: Tracker vs. testing: not OK

Francesco Poli wrote: > > As announced, we do not provide full testing-security for a few weeks. > > I am aware of that (even though I really hope that the meaning of "few" > is more close to 1 as possible!), but I think this is *not* a good > reason to show more vulnerabilities in testing than a

Re: No DSA-168[67]-1 on the tracker

On Wed, Dec 17, 2008 at 07:41:01PM +0100, Francesco Poli wrote: > On Wed, 17 Dec 2008 11:50:14 +0100 (CET) Thijs Kinkhorst wrote: > > [...] > > Something went wrong which brought the checkout the script uses to commit > > its update in, in a conflict state. I resolved that now, and Florian added >

Re: geshi vs. tracker

On Thu, Dec 04, 2008 at 10:08:32PM +0100, Francesco Poli wrote: > Hi everyone (again), > > DTSA-179-1 was issued on last Sunday. > Its tracker page [1] says that geshi/1.0.7.22-1+lenny1 fixes two CVEs > in lenny. > Can someone explain why the tracker is still convinced that no lenny > (security) v

Re: DSA-1681-1 vs. tracker

> The DSA [1] claims that all the CVEs are fixed in etch by > linux-2.6.24/2.6.24-6~etchnhalf.7, while the tracker pages for > CVE-2008-5134 [3] and CVE-2008-5182 [4] claim that etch is still vulnerable. Fixed. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject

Bug#507157: security-tracker: The tracker sould track experimental

Package: security-tracker Severity: wishlist The apt sources of experimental should be parsed as well. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=C,

Re: DSA-1669-1 vs. tracker

On Wed, Nov 26, 2008 at 05:52:48PM +0100, Gerfried Fuchs wrote: > * Francesco Poli <[EMAIL PROTECTED]> [2008-11-23 22:07:30 CET]: > > DSA-1669-1 [1] has been just issued and a corresponding tracker > > page [2] was added. > > > > However, it seems that there are some inconsistencies between the >

Re: Conflicting Information on CVE-2008-3699 Page

On Fri, Oct 24, 2008 at 12:13:10AM -0400, Michael Gilbert wrote: > >> The tracker page [1] for CVE-2008-3699 says "Debian/stable not known > >> to be vulnerable", yet in the next section it says that "etch 1.4.4-4 > >> vulnerable". These two statements contradict one another, and lead one > >> clu

Re: [Secure-testing-commits] r9978 - / data data/CVE

On Tue, Oct 07, 2008 at 11:10:58PM +0200, Moritz Muehlenhoff wrote: > On Tue, Oct 07, 2008 at 11:26:47PM +1100, Steffen Joeris wrote: > > Hi > > > > > @@ -33,9 +28,11 @@ > > > Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) > > > Binary-packa

Re: [Secure-testing-commits] r9978 - / data data/CVE

On Tue, Oct 07, 2008 at 11:26:47PM +1100, Steffen Joeris wrote: > Hi > > > @@ -33,9 +28,11 @@ > > Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) > > Binary-package: mon (0.99.2-12) > > Binary-package: qemu (0.9.1-5) > > + Binary-package: openswan (1:2.4.12+dfsg-1.1) > I just had a loo

Re: [Secure-testing-commits] r9971 - / data data/CVE

> > DSA: (Name in brackets if someone prepares a DSA) > > Binary-package: feta (1.4.16) (jmm) > > + Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) > > I just had a quick chat with the maintainer and it seems that the insecure > temp file handling exists only in example scripts, which a

Re: CVE-2007-6514 shouldn't apply to the linux-2.6 package

[Digging through the mail back log] On Wed, Jul 23, 2008 at 07:33:16PM -0400, Michael Gilbert wrote: > > This needs to be fixed in smbfs. It very likely is already on current > > etch, it only needs someone to test it with the Etch kernel. > > i meant that the tracker should be updated so that th

Re: [Secure-testing-commits] r9475 - data/CVE

Steffen Joeris wrote: > On Thu, 31 Jul 2008 06:10:43 pm [EMAIL PROTECTED] wrote: > > Author: thomasbl-guest > > Date: 2008-07-31 08:10:42 + (Thu, 31 Jul 2008) > > New Revision: 9475 > > > > Modified: > >data/CVE/list > > Log: > > CVE-2008-3312 done > > > > > > > > Modified: data/CVE/list >

  1   2   >