Author: nion
Date: 2009-08-10 18:58:17 +0000 (Mon, 10 Aug 2009)
New Revision: 12553
Modified:
data/CVE/list
Log:
fix libxml annotation
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-08-10 18:09:16 UTC (rev 12552)
+++ data/CVE/list 2009-08-10 18:58:17 UTC (rev 12553)
@@ -964,7 +964,7 @@
CVE-2009-2416 [libxml2 pointer-user-after-free]
RESERVED
- libxml2 <unfixed> (low; bug #540865)
- [etch] - libxml <unfixed>
+ [lenny] - libxml <removed>
CVE-2009-2415 [heap-based buffer overflow in memcached]
RESERVED
{DSA-1853-1}
@@ -976,7 +976,7 @@
CVE-2009-2414 [libxml2 stack recursion]
RESERVED
- libxml2 <unfixed> (medium; bug #540865)
- [etch] - libxml <unfixed>
+ [lenny] - libxml <removed>
CVE-2009-2413
RESERVED
CVE-2009-2412 (Multiple integer overflows in the Apache Portable Runtime (APR)
...)
Michael S. Gilbert
2009-Aug-10 19:10 UTC
[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote:> Author: nion > Date: 2009-08-10 18:58:17 +0000 (Mon, 10 Aug 2009) > New Revision: 12553 > > Modified: > data/CVE/list > Log: > fix libxml annotation > > Modified: data/CVE/list > ==================================================================> --- data/CVE/list 2009-08-10 18:09:16 UTC (rev 12552) > +++ data/CVE/list 2009-08-10 18:58:17 UTC (rev 12553) > @@ -964,7 +964,7 @@ > CVE-2009-2416 [libxml2 pointer-user-after-free] > RESERVED > - libxml2 <unfixed> (low; bug #540865) > - [etch] - libxml <unfixed> > + [lenny] - libxml <removed> > CVE-2009-2415 [heap-based buffer overflow in memcached] > RESERVED > {DSA-1853-1} > @@ -976,7 +976,7 @@ > CVE-2009-2414 [libxml2 stack recursion] > RESERVED > - libxml2 <unfixed> (medium; bug #540865) > - [etch] - libxml <unfixed> > + [lenny] - libxml <removed>i still don''t think this is what you''re trying to get at. you want to mark it is removed from unstable, which will automatically also mark it removed from lenny. then you want to do something special for etch, and i think your intent is a no-dsa? or if you don''t want to do that, you can not add an etch entry, and it will be tracked as affected. mike
Nico Golde
2009-Aug-10 19:35 UTC
[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
Hi, * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]:> On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote:[...]> > CVE-2009-2414 [libxml2 stack recursion] > > RESERVED > > - libxml2 <unfixed> (medium; bug #540865) > > - [etch] - libxml <unfixed> > > + [lenny] - libxml <removed> > > i still don''t think this is what you''re trying to get at. you want to > mark it is removed from unstable, which will automatically also mark > it removed from lenny.No, why should it remove it as removed from lenny as well in this case?> then you want to do something special for etch, and i think your intent > is a no-dsa?Not sure yet.> or if you don''t want to do that, you can not add an etch > entry, and it will be tracked as affected.So my current intention is to mark lenny as not containing libxml and since thsi will be tracked upwards unless marked as unfixed in unstable this should mark unstable as not containing libxml as well but etch as unfixed. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090810/ca370ce7/attachment.pgp>
Michael S. Gilbert
2009-Aug-10 19:51 UTC
[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
On Mon, 10 Aug 2009 21:35:17 +0200, Nico Golde wrote:> Hi, > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]: > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote: > [...] > > > CVE-2009-2414 [libxml2 stack recursion] > > > RESERVED > > > - libxml2 <unfixed> (medium; bug #540865) > > > - [etch] - libxml <unfixed> > > > + [lenny] - libxml <removed> > > > > i still don''t think this is what you''re trying to get at. you want to > > mark it is removed from unstable, which will automatically also mark > > it removed from lenny. > > No, why should it remove it as removed from lenny as well in > this case?the tracker is smart. if you mark a package as <removed> in unstable, and it is indeed removed in lenny also, than it will automatically track as removed.> So my current intention is to mark lenny as not containing > libxml and since thsi will be tracked upwards unless marked > as unfixed in unstable this should mark unstable as not > containing libxml as well but etch as unfixed.i commited a change that does what i think you intended to do, please check the CVE pages on the tracker for those issues to see if its what you expect. mike
Nico Golde
2009-Aug-10 21:06 UTC
[Secure-testing-team] keeping track of packages in different distributions (was: [Secure-testing-commits] r12553 - data/CVE)
Hi, * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 22:05]:> On Mon, 10 Aug 2009 21:35:17 +0200, Nico Golde wrote: > > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]: > > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote: > > [...] > > > > CVE-2009-2414 [libxml2 stack recursion] > > > > RESERVED > > > > - libxml2 <unfixed> (medium; bug #540865) > > > > - [etch] - libxml <unfixed> > > > > + [lenny] - libxml <removed> > > > > > > i still don''t think this is what you''re trying to get at. you want to > > > mark it is removed from unstable, which will automatically also mark > > > it removed from lenny. > > > > No, why should it remove it as removed from lenny as well in > > this case? > > the tracker is smart. if you mark a package as <removed> in unstable, > and it is indeed removed in lenny also, than it will automatically > track as removed.Ok I didn''t know this.> > So my current intention is to mark lenny as not containing > > libxml and since thsi will be tracked upwards unless marked > > as unfixed in unstable this should mark unstable as not > > containing libxml as well but etch as unfixed. > > i commited a change that does what i think you intended to do, please > check the CVE pages on the tracker for those issues to see if its what > you expect.Thanks! Looks good. Though I am still wondering why it lists: Package Type Release Fixed Version Urgency Origin Debian Bugs libxml source (unstable) (unfixed) unknown There is no libxml source in unstable. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090810/ae145058/attachment.pgp>
Michael S. Gilbert
2009-Aug-10 21:26 UTC
[Secure-testing-team] keeping track of packages in different distributions (was: [Secure-testing-commits] r12553 - data/CVE)
On Mon, 10 Aug 2009 23:06:43 +0200, Nico Golde wrote:> Thanks! Looks good. Though I am still wondering why it > lists: > Package Type Release Fixed Version Urgency Origin Debian Bugs > libxml source (unstable) (unfixed) unknown > > There is no libxml source in unstable.i think this is just a presentation problem. the tracker needs to be updated to say "(unstable) (removed)" or something like that for <removed> tags. mike
Moritz Muehlenhoff
2009-Aug-11 17:07 UTC
[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
On Mon, Aug 10, 2009 at 09:35:17PM +0200, Nico Golde wrote:> Hi, > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]: > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote: > [...] > > > CVE-2009-2414 [libxml2 stack recursion] > > > RESERVED > > > - libxml2 <unfixed> (medium; bug #540865) > > > - [etch] - libxml <unfixed> > > > + [lenny] - libxml <removed> > > > > i still don''t think this is what you''re trying to get at. you want to > > mark it is removed from unstable, which will automatically also mark > > it removed from lenny. > > No, why should it remove it as removed from lenny as well in > this case? > > > then you want to do something special for etch, and i think your intent > > is a no-dsa? > > Not sure yet. > > > or if you don''t want to do that, you can not add an etch > > entry, and it will be tracked as affected. > > So my current intention is to mark lenny as not containing > libxml and since thsi will be tracked upwards unless marked > as unfixed in unstable this should mark unstable as not > containing libxml as well but etch as unfixed.Just use: libxml2 <unfixed> (medium; bug #540865) libxml <removed> The tracker knows which source package is present in which suite. If a package is marked as <removed> in unstable it is automatically marked as unfixed for all the suite it still remains in. (It would be nice if anyone could add this to the introductory explanation document.) Cheers, Moritz
Michael S. Gilbert
2009-Aug-11 17:14 UTC
[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
On Tue, 11 Aug 2009 19:07:06 +0200, Moritz Muehlenhoff wrote:> On Mon, Aug 10, 2009 at 09:35:17PM +0200, Nico Golde wrote: > > Hi, > > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]: > > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote: > > [...] > > > > CVE-2009-2414 [libxml2 stack recursion] > > > > RESERVED > > > > - libxml2 <unfixed> (medium; bug #540865) > > > > - [etch] - libxml <unfixed> > > > > + [lenny] - libxml <removed> > > > > > > i still don''t think this is what you''re trying to get at. you want to > > > mark it is removed from unstable, which will automatically also mark > > > it removed from lenny. > > > > No, why should it remove it as removed from lenny as well in > > this case? > > > > > then you want to do something special for etch, and i think your intent > > > is a no-dsa? > > > > Not sure yet. > > > > > or if you don''t want to do that, you can not add an etch > > > entry, and it will be tracked as affected. > > > > So my current intention is to mark lenny as not containing > > libxml and since thsi will be tracked upwards unless marked > > as unfixed in unstable this should mark unstable as not > > containing libxml as well but etch as unfixed. > > Just use: > libxml2 <unfixed> (medium; bug #540865) > libxml <removed>i helped Nico to do exactly this yesterday.> The tracker knows which source package is present in which > suite. If a package is marked as <removed> in unstable it is > automatically marked as unfixed for all the suite it still > remains in. > > (It would be nice if anyone could add this to the introductory > explanation document.)if i find the time, i will. mike