Secure testing team - Mar 2006 - Proposed syntax changes for CAN/list / finalization phase

Florian Weimer wrote:
> > CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users
to overwrite ...)
> >         - texinfo unfixed (bug #328265; low)
> 
> Please use some characters which cannot be part of version numbers,
> for example:
> 
>          - texinfo <unfixed> (bug #328265; low)
> 
> Also for not-affected, BTW.
Ok, so it''s <unfixed>, <not-affected> and <itp>
> > Please review and let''s finalize the format somehow.
> 
> Recently, it occurred to me that we have no good way to reference a
> Debian bug which deals with a non-issue as far as we are concerned:
> 
>          - texinfo <not-affected> (we do not ship this particular
shell script)
> 
> The usual space for bug references is taken by the free-form text.
> For uniformity, I''d rather put this text into a NOTE: und go with
the
> standard syntax for bug references.
I see the point, but I think that for the majority of the issues we''ll
not open a bug report (e.g. because it''s obvious that they are specific
to another distribution at the first glance. So let''s implement
not-affected like above and add your proposed fix from below.
> Apart from that, it probably makes sense to allow Debian bug numbers
> in the { ... } cross-references (for issues which do not have package
> notes, but still reference Debian bugs).
Which would be ideal to solve the deficiency you mentioned above. So
the { } cross-references may refer to DTSA-foo DSA-foo or "bug #foo".

Cheers,
          Moritz

Moritz Muehlenhoff wrote:
> 6. For syntactical clarity cross references in {} should only be allowed
directly
>    after the CVE line.
Agreed for CVEs (also already enforced by updatelist IIRC), but for
DSAs, see DSA-573-1 of an example of a DSA that was complex enough in
what it affected that it made sense to list the CVE references
separately:

[21 Oct 2004] DSA-573-1 cupsys - integer overflows
        {CAN-2004-0888}
        - cupsys 1.1.20final+rc1-10
        {CAN-2004-0889}
        - xpdf 3.00-10
        NOTE: kpdf and kfax are fixed in sarge, bug #278173 and #280373 for
reference
        - kpdf 4:3.3.1-1
        - gpdf 2.8.0-1
        - kfax 4:3.3.1-1

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050924/fd97cbfa/attachment.pgp

* Moritz Muehlenhoff:
> CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
>         - texinfo unfixed (bug #328265; low)
Please use some characters which cannot be part of version numbers,
for example:

         - texinfo <unfixed> (bug #328265; low)

Also for not-affected, BTW.

Apart from that, I fully support this change.
>         - mediawiki itp (bug #276057; bug #217571)
Same here.  Also a good idea.
> Please review and let''s finalize the format somehow.
Recently, it occurred to me that we have no good way to reference a
Debian bug which deals with a non-issue as far as we are concerned:

         - texinfo <not-affected> (we do not ship this particular shell
script)

The usual space for bug references is taken by the free-form text.
For uniformity, I''d rather put this text into a NOTE: und go with the
standard syntax for bug references.

Apart from that, it probably makes sense to allow Debian bug numbers
in the { ... } cross-references (for issues which do not have package
notes, but still reference Debian bugs).

Hi,
as discussed we should implement some changes to our CAN/list and possibly 
finalize it as well.

1. The unfixed tag should be pulled out from the brackets and moved to
   the place, where the actual fix would belong to. This makes things
   much more structured and logical.

CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
        - texinfo (unfixed; bug #328265; low)

   would become

CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
        - texinfo unfixed (bug #328265; low)

2. Issues, that we don''t currently can research on our own should be
moved from
   TODO: to HELP:. A website is generated from the HELP entries and linked from
   secure-testing.debian.net.

3. REJECTED: replaces the current NOTE: rejected, after the : a reason of cross
reference
   may follow (free form).

4. RESERVED replaces the current NOTE: reserved

5. To track ITPs more cleanly we should add them like this (the source package
name
   is the one for which the ITP has been filed, but instead of a version number
they
   get an itp entry. The referenced bug# number is the ITP''s bug
number, so that we
   can track, whether it get closed and react upon it.

CAN-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and
...)
        - mediawiki itp (bug #276057; bug #217571)

6. For syntactical clarity cross references in {} should only be allowed
directly
   after the CVE line.

7. After some more thought, I agree with Florian''s argument that

   NOT-FOR-US: Ueberl00t BBS Board

   is a better solution than

   NOTE: not-for-us (Ueberl00t BBS Board).

   The first one permits as to have a concrete machine-parseable solution for
each
   security issue, while we can use NOTE: to give additinal free-form
information.
   This will be a big diff, but I think it''s worth the effort.

I also agree with your FIXES: proposal for DSA/list.

Please review and let''s finalize the format somehow.

Cheers,
        Moritz