micah
2006-Mar-13 12:28 UTC
[Secure-testing-team] Bringing the tracker into shape for Woody and Sarge
On Mon, 26 Dec 2005, Moritz Muehlenhoff clickity clacked:> The only thing we need to track manually are those cases, where a package > is present in a distribution, but it is not vulnerable for some reasons. > This is done with <not-affected> tags:[snip]> So, right now we need to clean up the currently open data a bit. If you haveAs I go through the lists, I am adding a NOTE to the entries which I''ve found to be affected to give others who are also cleaning up this data an idea of which ones have already been looked at so there is no duplication of effort. It also should be mentioned that in addition to cleaning up the current data, we need to be sure that future entries also have this information added. Micah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060101/6cd62408/attachment.pgp
Moritz Muehlenhoff
2006-Mar-13 12:28 UTC
[Secure-testing-team] Bringing the tracker into shape for Woody and Sarge
Hi,
since about two weeks ago I''ve converted all remaining DSA entries to
the new format of the syntax and I''ve been rewriting some older entries
from CVE/list to the new syntax as well. (the latter one is done back
to early 2003). So now the time is ripe to make full use of the
http://idssi.enyo.de/tracker tracker for tracking stable and oldstable.
So, how does this work:
Every package that has a vulnerability in sid does automatically have
derived "unfixed" states for every distribution suite it is part of.
The only thing we need to track manually are those cases, where a package
is present in a distribution, but it is not vulnerable for some reasons.
This is done with <not-affected> tags:
CVE-2005-3138 (Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21
allows ...)
[woody] - bugzilla <not-affected> (Only Bugzilla >= 2.18 is
affected)
[sarge] - bugzilla <not-affected> (Only Bugzilla >= 2.18 is
affected)
- bugzilla 2.18.4-1 (bug #331206; medium)
The distribution tags are added to the relative CVE/list entry. If
there''s
a DSA for an issue for stable it gets added to DSA/list as usual and the
provisional entries in CVE/list can be removed. So, if there were a DSA for
Bugzilla that would cover CVE-2005-3138 we could remove the [woody] and [sarge]
lines. This prevents cluttering the CVE/list too much.
So, right now we need to clean up the currently open data a bit. If you have
some time please go through the lists at
http://idssi.enyo.de/tracker/status/release/stable and
http://idssi.enyo.de/tracker/status/release/oldstable and check, whether
some are false positives and some are possibly already resolved.
As I''m a secretary member of the stable security team since last week
I''ll
strive to maintain the stable/oldstable information closely, help is of course
very welcome.
Cheers,
Moritz