Joey Hess
2005-Aug-26 20:24 UTC
[Secure-testing-commits] r1660 - / data data/CAN data/CVE data/DTSA doc website
Author: joeyh
Date: 2005-08-26 20:24:15 +0000 (Fri, 26 Aug 2005)
New Revision: 1660
Added:
data/DTSA/
data/DTSA/DTSA-1-1
data/DTSA/list
data/DTSA/mkadvisory
data/DTSA/template
Modified:
TODO
data/CAN/Makefile
data/CAN/list
data/CVE/Makefile
data/checklist
data/updatelist
doc/announce.2
website/index.html
Log:
- add support for DTSAs, with a new DTDA directory, a script to generate
them, etc
- automatic db update with DTSA
Modified: TODO
==================================================================--- TODO
2005-08-26 18:51:21 UTC (rev 1659)
+++ TODO 2005-08-26 20:24:15 UTC (rev 1660)
@@ -1,12 +1,5 @@
* Set up for DTSAs
- - Procedure for DTSA number assignment.
-
- - Need a way to generate a DTSA given a set of .changes files
- for the packages/architectures that will be in the DTSA. The amber
- program in katie can do this, but is not designed for our situation.
- Something based on amber''s template needs to be implemented.
-
- Need a way for team members to hint packages from etch-proposed-updates
to etch on secure-testing-master. Hint files similar to those used by
release team?
@@ -14,10 +7,12 @@
- Need a way to do an advisory for some arches and then auto-sync the
rest as they get built.
- - Web display of DTSAs
+ - Web display of DTSAs.
- - Integrate DTSAs into checklist script, so it stops listing holes that
- have had a DTSA issued.
+ - Better integrate DTSAs into checklist script, so it stops listing holes
+ that have had a DTSA issued.
+
+ - Auto moderation of developer signed mails to -announce.
* Merge stuff into security.debian.org. Long term, but we need to keep in
mind that the current setup is just to get bootstrapped.
Modified: data/CAN/Makefile
==================================================================---
data/CAN/Makefile 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/CAN/Makefile 2005-08-26 20:24:15 UTC (rev 1660)
@@ -1,5 +1,5 @@
update:
rm -f full-can.html
wget --quiet http://www.cve.mitre.org/cve/candidates/downloads/full-can.html
- ../updatelist full-can.html ../DSA/list list > list.new
+ ../updatelist full-can.html ../DSA/list ../DTSA/list list > list.new
mv -f list.new list
Modified: data/CAN/list
==================================================================---
data/CAN/list 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/CAN/list 2005-08-26 20:24:15 UTC (rev 1660)
@@ -156,8 +156,10 @@
CAN-2005-2628
NOTE: reserved
CAN-2005-2627 (Multiple integer underflows in Kismet before 2005-08-R1 allow
remote ...)
+ {DTSA-1-1}
- kismet 2005.08.R1-1 (bug #323386; high)
CAN-2005-2626 (Unspecified vulnerability in Kismet before 2005-08-R1 allows
remote ...)
+ {DTSA-1-1}
- kismet 2005.08.R1-1 (bug #323386; high)
CAN-2004-2476 (Microsoft Internet Explorer 6.0 allows remote attackers to cause
a ...)
NOTE: not-for-us (MS IE)
@@ -3823,12 +3825,14 @@
NOTE: not-for-us (arshell)
CAN-2005-1857
NOTE: reserved
+ {DSA-786-1}
CAN-2005-1856 [backup-manager: Potential symlink attack through hard coded file
name]
NOTE: reserved
- {DSA-786-1}
+ {DSA-787-1}
- backup-manager 0.5.8-2 (low)
CAN-2005-1855 [Insecure default permissions in backup-manager]
NOTE: reserved
+ {DSA-787-1}
- backup-manager 0.5.8-2 (medium)
CAN-2005-1854 (Unknown vulnerability in apt-cacher in Debian 3.1, related to
"missing ...)
{DSA-772-1}
Modified: data/CVE/Makefile
==================================================================---
data/CVE/Makefile 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/CVE/Makefile 2005-08-26 20:24:15 UTC (rev 1660)
@@ -1,5 +1,5 @@
update:
rm -f full-cve.html
wget --quiet http://www.cve.mitre.org/cve/downloads/full-cve.html
- ../updatelist full-cve.html ../DSA/list list > list.new
+ ../updatelist full-cve.html ../DSA/list ../DTSA/list list > list.new
mv -f list.new list
Added: data/DTSA/DTSA-1-1
==================================================================---
data/DTSA/DTSA-1-1 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/DTSA/DTSA-1-1 2005-08-26 20:24:15 UTC (rev 1660)
@@ -0,0 +1,55 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-1-1 http://secure-testing.debian.net
+secure-testing-team@lists.alioth.debian.org Joey Hess
+August 26th, 2005
+------------------------------------------------------------------------------
+
+Package : kismet
+Vulnerability : remote code execution
+Problem-Type : remote
+Debian-specific: no
+CVE ID : CAN-2005-2626 CAN-2005-2627
+
+Multiple security holes have been discovered in kismet:
+
+ CAN-2005-2627
+
+ Multiple integer underflows in Kismet allow remote attackers to execute
+ arbitrary code via (1) kernel headers in a pcap file or (2) data frame
+ dissection, which leads to heap-based buffer overflows.
+
+ CAN-2005-2626
+
+ Unspecified vulnerability in Kismet allows remote attackers to have an
+ unknown impact via unprintable characters in the SSID.
+
+For the testing distribution (etch) this is fixed in version
+2005.08.R1-0.1etch1.
+
+For the unstable distribution (sid) this is fixed in version
+2005.08.R1-1.
+
+This upgrade is strongly recommended if you use kismet.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+ deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+ deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+ apt-get update && apt-get install kismet
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
Added: data/DTSA/list
==================================================================---
data/DTSA/list 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/DTSA/list 2005-08-26 20:24:15 UTC (rev 1660)
@@ -0,0 +1,3 @@
+[26 Aug 2005] DTSA-1-1 kismet - remote code execution
+ {CAN-2005-2626 CAN-2005-2627}
+ - kismet 2005.08.R1-0.1etch1 (high)
Added: data/DTSA/mkadvisory
==================================================================---
data/DTSA/mkadvisory 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/DTSA/mkadvisory 2005-08-26 20:24:15 UTC (rev 1660)
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+# Generate an advisory using a template.
+use strict;
+use warnings;
+use User::pwent;
+use Date::Format;
+use Term::ReadLine;
+
+my $prefix="DTSA";
+my $advisory=getadvisory();
+
+my %subst;
+my %substchoices=(
+ DEBIAN_SPECIFIC => ["no","yes"],
+ TYPE => ["local", "remote"],
+);
+my %urgencytorecommendation=(
+ high => "strongly recommended",
+ medium => "recommended",
+ low => "encouraged",
+);
+my $term = Term::ReadLine->new("mkadvisory");
+
+sub getsubst {
+ my $in=shift;
+ # Use any numer of X''s around the left or right side of a
+ # variable to pad it to its max width, this will be turned
+ # into spaces for alignment.
+ my ($lpad, $var, $rpad)=$in=~/(X*)([^X]+)(X*)/;
+ $lpad=length($lpad);
+ $rpad=length($rpad);
+
+ if (! exists $subst{$var}) {
+ if ($var eq ''ADVISORY'') {
+ $subst{$var}=$advisory;
+ }
+ elsif ($var eq ''WHOAMI'') {
+ my ($fullname, $office, $workphone, $homephone) + split /\s*,\s*/,
getpwuid($<)->gecos;
+ $subst{$var}=$fullname;
+ }
+ elsif ($var eq ''DATE'') {
+ $subst{$var}=time2str("%B %o, %Y", time, "UTC");
+ }
+ elsif ($var eq ''UPGRADE_RECOMMENDATION'') {
+ print "Choose from ".join(", ", keys
%urgencytorecommendation)."\n";
+ while ($subst{URGENCY}=$term->readline("URGENCY: ",
''high'')) {
+ if (exists $urgencytorecommendation{$subst{URGENCY}}) {
+ last;
+ }
+ }
+ $subst{$var}=$urgencytorecommendation{$subst{URGENCY}};
+ }
+ else {
+ if (exists($substchoices{$var})) {
+ print "Choose from ".join(", ",
@{$substchoices{$var}})."\n";
+ $subst{$var}=$term->readline("$var: ",
$substchoices{$var}->[0]);
+ }
+ else {
+ $subst{$var}=$term->readline("$var: ");
+ }
+ }
+ }
+ my $ret=$subst{$var};
+ if ($lpad && length($ret) < length($in) + 4) {
+ $ret=(" " x (length($in) + 4 - length($ret))).$ret;
+ }
+ if ($rpad && length($ret) < length($in) + 4) {
+ $ret.=(" " x (length($in) + 4 - length($ret)));
+ }
+ return $ret;
+}
+
+# Get the advisory number. If a parameter is passed, use that as the
+# number, otherwise, find the next unused one.
+sub getadvisory {
+ my $num;
+ if (@ARGV) {
+ $num=shift;
+ }
+ else {
+ $num=1;
+ foreach my $file (glob("$prefix-*")) {
+ my ($major, $minor)=$file=~/$prefix-(.*)-(.*)/;
+ if ($major >= $num) {
+ $num=$major+1;
+ }
+ }
+ $num="$num-1";
+ }
+ if (-e "$prefix-$num") {
+ die "$prefix-$num already exists\n";
+ }
+ return "$prefix-$num";
+}
+
+print "Creating $advisory ...\n";
+open (OUT, ">$advisory") || die "write $advisory: $!";
+open (TEMPLATE, "template") || die "read template: $!";
+while (<TEMPLATE>) {
+ s/__([A-Z_]+)__/getsubst($1)/eg;
+ print OUT;
+}
+close TEMPLATE;
+close OUT;
+
+print "Adding to list ...\n";
+open (IN, "list") || die "read list: $!";
+my @list=<IN>;
+close IN;
+open (OUT,">list") || die "write list: $!";
+print OUT "[".time2str("%e %b %Y", time,
"UTC")."] $advisory $subst{PACKAGE} - $subst{SHORTDESC}\n";
+print OUT "\t{$subst{CVE}}\n" if length $subst{CVE};
+print OUT "\t- $subst{PACKAGE} $subst{TESTINGVER}
($subst{URGENCY})\n";
+print OUT @list;
+close OUT;
+
+print "Editing $advisory ...\n";
+exec("sensible-editor", $advisory);
Property changes on: data/DTSA/mkadvisory
___________________________________________________________________
Name: svn:executable
+ *
Added: data/DTSA/template
==================================================================---
data/DTSA/template 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/DTSA/template 2005-08-26 20:24:15 UTC (rev 1660)
@@ -0,0 +1,44 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory __ADVISORYX__http://secure-testing.debian.net
+secure-testing-team@lists.alioth.debian.org __XXXXXXXXXXXXXXXXXXXXXXXWHOAMI__
+__DATE__
+------------------------------------------------------------------------------
+
+Package : __PACKAGE__
+Vulnerability : __SHORTDESC__
+Problem-Type : __TYPE__
+Debian-specific: __DEBIAN_SPECIFIC__
+CVE ID : __CVE__
+
+__DESCRIPTION__
+
+For the testing distribution (etch) this is fixed in version
+__TESTINGVER__.
+
+For the unstable distribution (sid) this is fixed in version
+__UNSTABLEVER__.
+
+This upgrade is __UPGRADE_RECOMMENDATION__ if you use __PACKAGE__.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+ deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+ deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+ apt-get update && apt-get install __PACKAGE__
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
Modified: data/checklist
==================================================================---
data/checklist 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/checklist 2005-08-26 20:24:15 UTC (rev 1660)
@@ -82,9 +82,9 @@
print STDERR "line: $_" if $debug;
chomp;
if (/^\[/) {
- ($id)=m/((?:DSA|CAN|CVE)-[^\s]+) /;
+ ($id)=m/((?:DSA|DTSA|CAN|CVE)-[^\s]+) /;
}
- elsif (/^((?:DSA|CAN|CVE)-[^\s]+)/) {
+ elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) {
$id=$1;
}
elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) {
Modified: data/updatelist
==================================================================---
data/updatelist 2005-08-26 18:51:21 UTC (rev 1659)
+++ data/updatelist 2005-08-26 20:24:15 UTC (rev 1660)
@@ -1,30 +1,37 @@
#!/usr/bin/perl
my $full_can_html=shift;
my $dsa_list=shift;
+my $dtsa_list=shift;
my $our_list=shift;
my %cans;
-open (DSA, "<$dsa_list") || die "$dsa_list: $!\n";
-my $dsa;
-while (<DSA>) {
- if (/^\[/) {
- ($dsa)=m/(DSA-.*?) /;
- }
- if (/\{(CAN|CVE)/) {
- my ($canlist)=m/\{(.*)\}/;
- foreach my $can (split '' '', $canlist) {
- $can=~s/CVE-/CAN-/g;
- next unless $can=~/^CAN-\d+/;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
- $can=~s/CAN-/CVE-/g;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
+sub read_dsa {
+ my $list=shift;
+
+ open (DSA, "<$list") || die "$list: $!\n";
+ my $dsa;
+ while (<DSA>) {
+ if (/^\[/) {
+ ($dsa)=m/(DT?SA-.*?) /;
}
+ if (/\{(CAN|CVE)/) {
+ my ($canlist)=m/\{(.*)\}/;
+ foreach my $can (split '' '', $canlist) {
+ $can=~s/CVE-/CAN-/g;
+ next unless $can=~/^CAN-\d+/;
+ $cans{$can}{can}=$can;
+ push @{$cans{$can}{dsa}}, $dsa;
+ $can=~s/CAN-/CVE-/g;
+ $cans{$can}{can}=$can;
+ push @{$cans{$can}{dsa}}, $dsa;
+ }
+ }
}
+ close DSA;
}
-close DSA;
+read_dsa($dsa_list);
+read_dsa($dtsa_list);
my %listedcans;
@@ -102,10 +109,10 @@
elsif (/^\s+NOTE:\s*(reserved|rejected)\s*$/) {
# skip it
}
- elsif (/^\s+NOTE: covered by DSA.*/) {
+ elsif (/^\s+NOTE: covered by DT?SA.*/) {
# skip it (old form)
}
- elsif (/^\s+{DSA.*/) {
+ elsif (/^\s+{DT?SA.*/) {
# skip
}
elsif (/^\s+(.*)/ && $can) {
Modified: doc/announce.2
==================================================================---
doc/announce.2 2005-08-26 18:51:21 UTC (rev 1659)
+++ doc/announce.2 2005-08-26 20:24:15 UTC (rev 1660)
@@ -3,10 +3,18 @@
Subject: announcing the beginning of security support for testing
+-----------------------------------------------------------------------------
+Debian Testing Security Team http://secure-testing.debian.net
+Security support for testing secure-testing-team@lists.alioth.debian.org
+August 26th, 2005
+-----------------------------------------------------------------------------
+
+Security support for testing
+
The Debian testing security team is pleased to announce the beginning of
full security support for Debian''s testing distribution. We have spent
the
past year building the team, tracking and fixing security holes, and
-creating our infrastructure, and now the final piece is in place, and
+creating our infrastructure, and now the final pieces are in place, and
we are able to offer security updates and advisories for testing.
We invite Debian users who are currently running testing, or who would like
@@ -19,21 +27,60 @@
available:
deb http://secure-testing.debian.net/debian-security-updates
etch/security-updates main contrib non-free
+deb-src http://secure-testing.debian.net/debian-security-updates
etch/security-updates main contrib non-free
-Note that some initial advisories have already been posted to the list
-and are already available in the repository. These include:
+Some initial advisories have already been posted to the list and are already
+available in the repository. These include:
DTSA-1-1 kismet -
XXXXXX complete
Note that this announcement does not mean that testing is free of security
issues. Several security issues are present in unstable, and an even larger
-quantity are present in testing. Our beginning of security support only
-means that we are now able to begin making security fixes available for
-testing nearly as quickly as for unstable. The testing security team makes
-statistics about what security holes are still open available on our
-website, and users should use this information to make their own decision
-about whether testing is secure enough for production use.
+number are present in testing. Our beginning of security support only means
+that we are now able to begin making security fixes available for testing
+nearly as quickly as for unstable. The testing security team''s website
has
+information about what security holes are still open, and users should use
+this information to make their own decision about whether testing is secure
+enough for production use.
For more information about the testing security team, see our web site.
<http://secure-testing.alioth.debian.org/>.
+
+----------------------------------------------------------------------------
+
+The archive signing key that is used to sign the apt repository is
+included below and can also be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.1 (GNU/Linux)
+
+mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b
+yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq
+zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss
+HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo
+SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y
+KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr
+Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q
+HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ
+qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl
+c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k
+ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB
+Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF
+YldbZt/zYA53k2/y2m+s7LkCDQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkP
+LNKcH1O/og2mID8/gBV99LRfRnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezq
+H+2agIra78dfb0B1AyHuvwSRMc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZum
+ecqkNSQVOkqeAOl2JIQ/xBkLg1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEW
+Atg54CD9uRbfSwnd2uYHYcosmBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6S
+nbhB4t3vk/AnEsPJixtW/tOC3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgA
+gNtB3u8TCN2Z4wkKrg19LohivQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEu
+e/4wBOta3a9pUpVdMgRFL1UuJy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2
+lwkrT1b5GdFBSRn8hsuRtZi69QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxy
+ZWRoqiSIl7mRLHp2tuFw9chgJ1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4
+rktZAqG2blwVpC2DLLiQSqcYS5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJ
+ZIq2hzbazsyg2Sd3vhmZuohPBBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGH
+IuceRqUAn3Q8msRUTsp882QINWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxp
+Qg=+=KBNL
+-----END PGP PUBLIC KEY BLOCK-----
Modified: website/index.html
==================================================================---
website/index.html 2005-08-26 18:51:21 UTC (rev 1659)
+++ website/index.html 2005-08-26 20:24:15 UTC (rev 1660)
@@ -42,7 +42,9 @@
repository:
<pre>
deb http://secure-testing.debian.net/debian-security-updates
etch/security-updates main contrib non-free
+ deb-src http://secure-testing.debian.net/debian-security-updates
etch/security-updates main contrib non-free
</pre>
+ The archive signing key used for this repository is <a
href="ziyi-2005-7.asc">here</a>.
</p>
<h1>Data sources</h1>
@@ -108,17 +110,18 @@
including builds for all other architectures:
<pre>
deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+ deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
</pre>
Build logs can be found
<a href="http://experimental.debian.net/">here</a>.
</li>
<li>
Once everything is ready, contact a team member to create a DSTA annoucement
- (procedure pending), contact a secure-testing-master admin
+ (using data/DTSA/mkadvisory), contact a secure-testing-master admin
to move the upload from etch-proposed-updates to
etch (using something like this, but the procedure is still being worked out:
madison -s etch-proposed-updates -f heidi -S $package | sudo -u katie heidi
-a etch)
- and send the DSTA to secure-testing-announce.
+ and send the signed DSTA to secure-testing-announce.
</li>
</ol>
</p>