Secure testing team - Jun 2006 - Updates for testing-security track page

Hi all!

Joey Hess suggested me to report issues like the following to this list.

By giving a look to some vulnerabilities listed in the testing-security
track page (http://spohr.debian.org/~joeyh/testing-security.html), I
noticed that some data don''t seem to be updated.

For example:


* mozilla-thunderbird (unfixed) for CVE-2006-0836, CVE-2006-0295,
CVE-2006-0298, CVE-2006-0299, CVE-2006-0297, CVE-2006-0294,
CVE-2005-3402

Since mozilla-thunderbird is now a dummy transitional package, its
vulnerabilities should be attributed to the real package (that is to
say, thunderbird).
Out of these 7 issues, 5 are claimed[1] to be fixed in thunderbird
version 1.5.0.2-1, which has already migrated to testing (for all archs,
except s390 which is not release candidate, though).
Those 5 seemingly solved issues are:
CVE-2006-0294 CVE-2006-0295 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299

The remaining 2 vulnerabilities (CVE-2006-0836 and CVE-2005-3402) are
maybe still present in sid (package thunderbird, I think).

Is this correct?

[1] by  http://spohr.debian.org/~joeyh/testing-security.html  itself


* mysql-dfsg (unfixed; bug #365939) for CVE-2006-1518, CVE-2006-1517,
CVE-2006-1516

The bug report[2] refers to package mysql-server-5.0 and claims that
the issue is fixed in mysql-dfsg-5.0 version 5.0.21-1, which is
superseded by 5.0.22-2 in sid.
Testing seems to be still vulnerable, because it has version 5.0.20-1.

[2] http://bugs.debian.org/365939
[3] http://bjorn.haxx.se/debian/testing.pl?package=mysql-server-5.0



Please note that I''m (slowly) performing other similar checks, hence
other reports like this could reach this list in the future.
Joey Hess told me that the bug status tracking is still done manually: I
hope it can be automated soon!



P.S.: I am not subscribed to the list, so, please, Cc: me on replies, if
      any. Thanks.


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060605/7fd64283/attachment.pgp

Le lun 05 jun 2006 00:14:36 GMT Francesco Poli <frx@firenze.linux.it> a
?crit :
> * mysql-dfsg (unfixed; bug #365939) for CVE-2006-1518, CVE-2006-1517,
> CVE-2006-1516
> 
> The bug report[2] refers to package mysql-server-5.0 and claims that
> the issue is fixed in mysql-dfsg-5.0 version 5.0.21-1, which is
> superseded by 5.0.22-2 in sid.
> Testing seems to be still vulnerable, because it has version 5.0.20-1.
> 
> [2] http://bugs.debian.org/365939
> [3] http://bjorn.haxx.se/debian/testing.pl?package=mysql-server-5.0
mysql-dfsg has been removed from sid and will be removed from etch when
removing causes no dependency problems.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356751
http://bjorn.haxx.se/debian/testing.pl?package=mysql-dfsg

I''ve updated our database with this information.

Regards.
-- 
Djoume SALVETTI
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060605/0c189d8e/attachment.pgp

Le lun 05 jun 2006 00:14:36 GMT Francesco Poli <frx@firenze.linux.it> a
?crit :
> * mozilla-thunderbird (unfixed) for CVE-2006-0836, CVE-2006-0295,
> CVE-2006-0298, CVE-2006-0299, CVE-2006-0297, CVE-2006-0294,
> CVE-2005-3402
> 
> Since mozilla-thunderbird is now a dummy transitional package, its
> vulnerabilities should be attributed to the real package (that is to
> say, thunderbird).
> Out of these 7 issues, 5 are claimed[1] to be fixed in thunderbird
> version 1.5.0.2-1, which has already migrated to testing (for all archs,
> except s390 which is not release candidate, though).
> Those 5 seemingly solved issues are:
> CVE-2006-0294 CVE-2006-0295 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299
> 
> The remaining 2 vulnerabilities (CVE-2006-0836 and CVE-2005-3402) are
> maybe still present in sid (package thunderbird, I think).
> 
> Is this correct?
Hello,

Thanks for your report, my understanding is that your are right, we have
to track mozilla-firefox/mozilla-thunderbird sources packages for
sarge and firefox/thunderbird sources packages for etch and sid. 
I have added some [sarge] target to mozilla-firefox and
mozilla-thunderbird for issues you mention.

Moritz, I''ve just noticed that you do not always add [sarge] for issues
in mozilla-firefox that are also in firefox, is there any reason for
that? Am I misunderstanding something?

If you agree, I can add [sarge] for all mozilla-firefox and
mozilla-thunderbird issues.

Regards.
-- 
Djoume SALVETTI
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060605/f43229e7/attachment.pgp

* Djoume SALVETTI:
> Moritz, I''ve just noticed that you do not always add [sarge] for
issues
> in mozilla-firefox that are also in firefox, is there any reason for
> that? Am I misunderstanding something?
In some cases, the issues are 1.5-only and they don''t affect sarge.
> If you agree, I can add [sarge] for all mozilla-firefox and
> mozilla-thunderbird issues.
It''s usually better to add "- mozilla-thunderbird
<removed>"
annotations.  Otherwise, you might need to edit the CVE/list file for
the DSA.

Le lun 05 jun 2006 12:59:58 GMT Florian Weimer <fw@deneb.enyo.de> a ?crit
:
> In some cases, the issues are 1.5-only and they don''t affect
sarge.
In theses cases I have put :  

  - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442)
  [sarge] - mozilla-firefox <not-affected> (Only Firefox 1.5 is affected)
> > If you agree, I can add [sarge] for all mozilla-firefox and
> > mozilla-thunderbird issues.
> 
> It''s usually better to add "- mozilla-thunderbird
<removed>"
> annotations.  Otherwise, you might need to edit the CVE/list file for
> the DSA.
Ok, so I''ll add a : 

  - mozilla-firefox <removed>

to each firefox CVE if nobody object (and the same for thunderbird).

But we also need to manually add some 

  [sarge] - mozilla-firefox <not-affected>

to track sarge status (when we have some info) don''t we?

-- 
Djoume SALVETTI

* Djoume SALVETTI:
> But we also need to manually add some 
>
>   [sarge] - mozilla-firefox <not-affected>
>
> to track sarge status (when we have some info) don''t we?
Yes, and you should add an explanation like "only 1.5 is affected" in
parentheses.

On Mon, Jun 05, 2006 at 11:44:54AM +0200, Djoume SALVETTI
wrote:
> Le lun 05 jun 2006 00:14:36 GMT Francesco Poli <frx@firenze.linux.it>
a ?crit :
> > * mysql-dfsg (unfixed; bug #365939) for CVE-2006-1518, CVE-2006-1517,
> > CVE-2006-1516
> > The bug report[2] refers to package mysql-server-5.0 and claims that
> > the issue is fixed in mysql-dfsg-5.0 version 5.0.21-1, which is
> > superseded by 5.0.22-2 in sid.
> > Testing seems to be still vulnerable, because it has version 5.0.20-1.
> > [2] http://bugs.debian.org/365939
> > [3] http://bjorn.haxx.se/debian/testing.pl?package=mysql-server-5.0
> mysql-dfsg has been removed from sid and will be removed from etch when
> removing causes no dependency problems.
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356751
> http://bjorn.haxx.se/debian/testing.pl?package=mysql-dfsg
> I''ve updated our database with this information.
fwiw, myodbc and mnogosearch are due to be updated in testing tomorrow,
leaving only courier and kexi needing an update.  kexi appears to be
binNMUable, and courier needs the hppa buildd''s sbuild config fixed to
not
reference libmysqlclient12 explicitly.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060605/3718576f/attachment.pgp

On Mon, 5 Jun 2006 11:30:29 +0200 Djoume SALVETTI wrote:
> Thanks for your report
You''re welcome.

BTW, since you appreciated it, here''s more of the same!  ;-)


* python-pgsql (unfixed; bug #369250) for CVE-2006-2314

The bug report[1] claims the issue is fixed in version 2.4.0-8, which is
by now trying to enter testing[2]. Hence I would say this vulnerability
is fixed in sid, even though not yet in etch.

[1] http://bugs.debian.org/369250
[2] http://bjorn.haxx.se/debian/testing.pl?package=python-pgsql


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060606/62d05c8c/attachment.pgp

On Tue, 6 Jun 2006 00:27:24 +0200 Francesco Poli wrote:
> On Mon, 5 Jun 2006 11:30:29 +0200 Djoume SALVETTI wrote:
> 
> > Thanks for your report
> 
> You''re welcome.
> 
> BTW, since you appreciated it, here''s more of the same!  ;-)
And even more:


* ruby1.6 1.6.8-13 needed, have 1.6.8-12 [m68k] for CVE-2005-2337

I cannot see any evidence that the m68k arch is still out of sync w.r.t.
to this package. If I read the package migration status[1] correctly,
this vulnerability seems to be fixed in unstable and testing for all
architectures.
Wait, no!, from the build log[2], it seems that the m68k build failed!
Why doesn''t the package migration status[1] say anything about this?
What''s wrong?
What did I fail to understand?

[1] http://bjorn.haxx.se/debian/testing.pl?package=ruby1.6
[2]
http://buildd.debian.org/fetch.php?&pkg=ruby1.6&ver=1.6.8-13&arch=m68k&stamp=1141764930&file=log&as=raw


* runit (unfixed; bug #356016) for CVE-2006-1319

The bug report[3] claims the issue is fixed in version 1.4.1-1, which is
already superseded by version 1.5.1-1 in testing[4]. Hence, I would say
this vulnerability is fixed in both unstable and testing.

[3] http://bugs.debian.org/356016
[4] http://bjorn.haxx.se/debian/testing.pl?package=runit


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060606/48c3b08a/attachment.pgp

Hi,

On Tuesday 06 June 2006 00:44, Francesco Poli wrote:
> * ruby1.6 1.6.8-13 needed, have 1.6.8-12 [m68k] for CVE-2005-2337
I don''t know anything about this.
> * runit (unfixed; bug #356016) for CVE-2006-1319
> * python-pgsql (unfixed; bug #369250) for CVE-2006-2314
I have updated these in the database. Thanks.

Cheers,
Stefan

On Tue, 6 Jun 2006 11:08:13 +0200 Stefan Fritsch wrote:
> Hi,
[...]
> > * runit (unfixed; bug #356016) for CVE-2006-1319
> > * python-pgsql (unfixed; bug #369250) for CVE-2006-2314
> 
> I have updated these in the database. Thanks.
Good, here''s one more:

* tcpquota (unfixed; bug #358369) for CVE-2006-XXXX

The bug report[1] claims the issue is fixed in version 1.6.15-11, which
is already in testing[2]. Hence I would say this vulnerability is fixed
in both unstable and testing.

[1] http://bugs.debian.org/358369
[2] http://bjorn.haxx.se/debian/testing.pl?package=tcpquota

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060606/c820f21d/attachment.pgp

Hi,

On Tuesday 06 June 2006 19:25, Francesco Poli wrote:
> Good, here''s one more:
>
> * tcpquota (unfixed; bug #358369) for CVE-2006-XXXX
Thanks again. I have updated this entry as well.
The same for (hopefully) all other entries with priority above 
unimportant which had their bugreport closed but were still marked as 
unfixed:

CVE-2005-3648 moodle
CVE-2006-XXXX fftw
CVE-1999-XXXX gnumach
CVE-2005-3055 linux-2.6

I will try to create a script that checks this automatically.

Cheers,
Stefan

Le lun 05 jun 2006 13:53:39 GMT Djoume SALVETTI
<Djoume.Salvetti@crans.org> a ?crit :
> > It''s usually better to add "- mozilla-thunderbird
<removed>"
> > annotations.  Otherwise, you might need to edit the CVE/list file for
> > the DSA.
> 
> Ok, so I''ll add a : 
> 
>   - mozilla-firefox <removed>
> 
> to each firefox CVE if nobody object (and the same for thunderbird).
After more reflexion, I''m not sure it''s a good idea to add all
this
<removed> entries when the issue is disclosed after the package have
been removed. 

Also, I don''t understand why I would have to edit the CVE/list file for
the DSA if I only add 

[sarge] - mozilla-firefox 1.2.3

or 

[sarge] - mozilla-firefox <unfixed> (bug #123456)

or

[sarge] - mozilla-firefox <not-affected> (Only 1.5 is vulnerable)


To firefox CVE entries when some info is available before a DSA is
published.

Regards.
-- 
Djoume SALVETTI

Djoume SALVETTI wrote:
> Le lun 05 jun 2006 13:53:39 GMT Djoume SALVETTI
<Djoume.Salvetti@crans.org> a ?crit :
> > > It''s usually better to add "- mozilla-thunderbird
<removed>"
> > > annotations.  Otherwise, you might need to edit the CVE/list file
for
> > > the DSA.
> > 
> > Ok, so I''ll add a : 
> > 
> >   - mozilla-firefox <removed>
> > 
> > to each firefox CVE if nobody object (and the same for thunderbird).
> 
> After more reflexion, I''m not sure it''s a good idea to
add all this
> <removed> entries when the issue is disclosed after the package have
> been removed. 
Yes, for packages like mysql-dfsg-4.1 it''s not quite needed.
 
> Also, I don''t understand why I would have to edit the CVE/list
file for
> the DSA if I only add 
> 
> [sarge] - mozilla-firefox 1.2.3
> 
> or 
> 
> [sarge] - mozilla-firefox <unfixed> (bug #123456)
> 
> or
> 
> [sarge] - mozilla-firefox <not-affected> (Only 1.5 is vulnerable)
You only need the third. The second is implicit, and information about fixes
in Sarge are coming through DSA/list. (With some exceptions like minor security
fixes coming through stable-proposed-updates)

Cheers,
        Moritz

On Wed, 7 Jun 2006 01:32:27 +0200 Stefan Fritsch wrote:
[...]
> I will try to create a script that checks this automatically.
This would be really useful.

BTW, I started a second round...
Here''s the first discrepancy I found:

* blender 2.40-1 needed, have 2.37a-1.1 for CVE-2005-4470

This vulnerability is still present in testing (it seems), but has been
fixed in a testing security update (DTSA-29-1) which claims that the
issue is fixed in version 2.37a-1.1etch1.
It should be reported in
http://spohr.debian.org/~joeyh/testing-security.html
but it''s not...


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060617/532d52d4/attachment.pgp

* Francesco Poli:
> Here''s the first discrepancy I found:
>
> * blender 2.40-1 needed, have 2.37a-1.1 for CVE-2005-4470
There was a typo in the DTSA file.  The output should be fixed soon.

On Sun, 18 Jun 2006 10:20:38 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> > Here''s the first discrepancy I found:
> >
> > * blender 2.40-1 needed, have 2.37a-1.1 for CVE-2005-4470
> 
> There was a typo in the DTSA file.  The output should be fixed soon.
Now it reads:

* blender 2.37a-1.1etch1 needed, have 2.37a-1.1 for DTSA-29-1

Mmmh, it should qualify as "fixed in secure-testing archive" in the
bottom summary, but it doesn''t.
I''m afraid that this is not the Right Way(TM) to mark it as
fixed with DTSA-something...  :-(


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060619/e8e35890/attachment.pgp

On Mon, 19 Jun 2006 22:36:11 +0200 Francesco Poli wrote:
> On Sun, 18 Jun 2006 10:20:38 +0200 Florian Weimer wrote:
> 
> > * Francesco Poli:
> > 
> > > Here''s the first discrepancy I found:
> > >
> > > * blender 2.40-1 needed, have 2.37a-1.1 for CVE-2005-4470
> > 
> > There was a typo in the DTSA file.  The output should be fixed soon.
> 
> Now it reads:
> 
> * blender 2.37a-1.1etch1 needed, have 2.37a-1.1 for DTSA-29-1
> 
> Mmmh, it should qualify as "fixed in secure-testing archive" in
the
> bottom summary, but it doesn''t.
> I''m afraid that this is not the Right Way(TM) to mark it as
> fixed with DTSA-something...  :-(
Another possible misuse of this same kind of tag:

* egroupware 1.2-1.dfsg-1 needed, have 1.0.0.009.dfsg-3-4 for
CVE-2006-2016

Unfortunately, the testing migration tracker[1] says that "egroupware
has the latest version in testing (1.0.0.009.dfsg-3-4)"
If you look at packages.qa.d.o[2], you see that all 1.2-* versions were
uploaded to experimental, rather than to unstable.
This explains why no migration to testing is currently on the way.
OK.
But then, considering this hole as "fixed in unstable but not testing"
does not seem to be correct!
This hole should be marked as unfixed, or, at best, as "fixed in
experimental" (but I don''t see this category in the bottom summary
of
the testing security holes page[3]...)

[1] http://bjorn.haxx.se/debian/testing.pl?package=egroupware
[2] http://packages.qa.debian.org/e/egroupware.html
[3] http://spohr.debian.org/~joeyh/testing-security.html


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060621/499096c7/attachment.pgp

* Francesco Poli:
> Now it reads:
>
> * blender 2.37a-1.1etch1 needed, have 2.37a-1.1 for DTSA-29-1
>
> Mmmh, it should qualify as "fixed in secure-testing archive" in
the
> bottom summary, but it doesn''t.
I don''t know how these pages are generated.  After the spelling fix,
at least <http://idssi.enyo.de/tracker/CVE-2005-4470> seems to be
correct.

* Francesco Poli:
> Another possible misuse of this same kind of tag:
>
> * egroupware 1.2-1.dfsg-1 needed, have 1.0.0.009.dfsg-3-4 for
> CVE-2006-2016
1.2-1.dfsg-1 is in experimental only.  I think this one is correct in
principle (especially if an upload of essentially that version
unstable is expected), except that we usually do not track
experimental.

On Wed, 21 Jun 2006 20:38:14 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> > Another possible misuse of this same kind of tag:
> >
> > * egroupware 1.2-1.dfsg-1 needed, have 1.0.0.009.dfsg-3-4 for
> > CVE-2006-2016
> 
> 1.2-1.dfsg-1 is in experimental only.  I think this one is correct in
> principle (especially if an upload of essentially that version
> unstable is expected), except that we usually do not track
> experimental.
I''m not sure I understand correctly.
Are you basically saying that the testing security holes page[1] is not
accurate anymore?

Joey, could you please clarify if your page generation script can take
into account the difference between "fixed in experimental" and
"fixed
in unstable", despite showing identical lines?

[1] http://spohr.debian.org/~joeyh/testing-security.html

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060622/808c78ca/attachment.pgp

Francesco Poli on 2006-06-22 01:22:32 +0200:
> On Wed, 21 Jun 2006 20:38:14 +0200 Florian Weimer wrote:
> 
> > 1.2-1.dfsg-1 is in experimental only.  I think this one is correct in
> > principle (especially if an upload of essentially that version
> > unstable is expected), except that we usually do not track
> > experimental.
> 
> I''m not sure I understand correctly.
> Are you basically saying that the testing security holes page[1] is not
> accurate anymore?
No, he''s saying that Joey''s page does not imply that the
version testing
is waiting for is in unstable.  Perhaps the description of the totals at
the bottom isn''t completely accurate, but the bulk of the page
certainly
is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060621/0420520b/attachment.pgp

Francesco Poli wrote:
> I''m not sure I understand correctly.
> Are you basically saying that the testing security holes page[1] is not
> accurate anymore?
Yes, all recent work has been put into idssi.enyo.de/tracker.

Cheers,
        Moritz

On Thu, 22 Jun 2006 19:32:48 +0200 Moritz Muehlenhoff wrote:
> Francesco Poli wrote:
> > I''m not sure I understand correctly.
> > Are you basically saying that the testing security holes page[1] is
> > not accurate anymore?
> 
> Yes, all recent work has been put into idssi.enyo.de/tracker.
OK, that means that my script must be replaced by something else that
pulls the relevant data from [0], rather than from [1]...  :-/

[0] http://idssi.enyo.de/tracker/
[1] http://spohr.debian.org/~joeyh/testing-security.html

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060622/92531a67/attachment.pgp

>> Francesco Poli wrote:
>> > I''m not sure I understand correctly.
>> > Are you basically saying that the testing security holes page[1]
is
>> > not accurate anymore?
>>
>> Yes, all recent work has been put into idssi.enyo.de/tracker.
>
> OK, that means that my script must be replaced by something else that
> pulls the relevant data from [0], rather than from [1]...  :-/
>
> [0] http://idssi.enyo.de/tracker/
> [1] http://spohr.debian.org/~joeyh/testing-security.html
I have commited some fixes to the script creating [1]. The count off
issues fixed in testing-security should now be accurate again. However,
the page has not been regenerated yet (don''t know how often that
happens,
maybe only once per day).

The script does not check whether the version given as fixed is actually
in unstable (I have reworded the summary line accordingly). Apart from
that,
the information on [1] should still be usable.

Cheers,
Stefan

* Francesco Poli:
> OK, that means that my script must be replaced by something else that
> pulls the relevant data from [0], rather than from [1]...  :-/
Which script?  Probably, you should use the SQLite database directly,
instead of parsing web pages.

Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060624/34e5a8bb/attachment-0001.pgp

On Fri, 23 Jun 2006 19:01:32 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> > OK, that means that my script must be replaced by something else
> > that pulls the relevant data from [0], rather than from [1]...  :-/
> 
> Which script?
The one I sent to this list back in May.
I apologize for not providing enough context...  :p

This little script generates and updates a simple graph of
vulnerabilities in testing versus time.
I first talked about it in the thread I started with message
<20060513125310.0d0bab7c.frx@firenze.linux.it>, that is
http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-May/000756.html

I sent the script to this list with message
<20060515230057.62836d70.frx@firenze.linux.it>, which unfortunately is
completely mangled on the web archive...
> Probably, you should use the SQLite database directly,
> instead of parsing web pages.
Well, have I (remote) access to the SQLite database?!?

Just to clarify: IANADD, IANATSTM[*], I''m just interested in evaluating
the security of Debian testing.
My script is not official, it runs on my local machine, *when* the
machine is online (!) and when I manually start it from the command
line...


[*] which stands for I Am Not A Testing-Security Team Member, of
    course...  ;-)

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060623/4f739277/attachment.pgp

* Francesco Poli:
>> Probably, you should use the SQLite database directly,
>> instead of parsing web pages.
>
> Well, have I (remote) access to the SQLite database?!?
Not remote, but you should be able to build one with a couple of
"make" invocations.  Something like this:

  make update-packages update-testing-security update-volatile all

Francesco Poli on 2006-06-23 23:04:42 +0200:
> On Fri, 23 Jun 2006 19:01:32 +0200 Florian Weimer wrote:
> 
> > Probably, you should use the SQLite database directly,
> > instead of parsing web pages.
> 
> Well, have I (remote) access to the SQLite database?!?
You can build it yourself.  I haven''t done so, but I believe the code
to
do so is in bin/update-db (in the svn repository).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060624/35e17191/attachment.pgp

On Sat, 24 Jun 2006 15:23:29 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> >> Probably, you should use the SQLite database directly,
> >> instead of parsing web pages.
> >
> > Well, have I (remote) access to the SQLite database?!?
> 
> Not remote, but you should be able to build one with a couple of
> "make" invocations.  Something like this:
> 
>   make update-packages update-testing-security update-volatile all
Mmmh, I don''t quite understand: I don''t think I can login onto
the
machine where the SQLite database lives.  Hence, I think that I would
need a remote access to the database (if at all possible, I''m no expert
of SQLite...), but you seem to say that I cannot have a remote access...

IIUC, there''s no way I can read data directly from the database.

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060624/e045265a/attachment.pgp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Francesco Poli wrote:
> On Fri, 23 Jun 2006 19:01:32 +0200 Florian Weimer wrote:
> 
>> * Francesco Poli:
>>
>>> OK, that means that my script must be replaced by something else
>>> that pulls the relevant data from [0], rather than from [1]...  :-/
>> Which script?
> 
> The one I sent to this list back in May.
> I apologize for not providing enough context...  :p
> 
> This little script generates and updates a simple graph of
> vulnerabilities in testing versus time.
Do you have any examples of this graph available?

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEnb7X9n4qXRzy1ioRAnIAAJ9xJleqMSqKaUkfq6vEDom0lDmlkACdGr7M
0v5MLcKi5Or6YyvNpxV/+kA=VKMV
-----END PGP SIGNATURE-----

On Thu, Jun 22, 2006 at 07:32:48PM +0200, Moritz Muehlenhoff
wrote:
> Francesco Poli wrote:
> > I''m not sure I understand correctly.
> > Are you basically saying that the testing security holes page[1] is
not
> > accurate anymore?
> 
> Yes, all recent work has been put into idssi.enyo.de/tracker.
Any chance that this information can be placed up at www.debian.org? What do
you guys need for that to happen? [1]

Regards

Javier

[1] Maybe I could pursue that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060625/6e4d454c/attachment.pgp

* Francesco Poli:
>> Not remote, but you should be able to build one with a couple of
>> "make" invocations.  Something like this:
>> 
>>   make update-packages update-testing-security update-volatile all
>
> Mmmh, I don''t quite understand: I don''t think I can login
onto the
> machine where the SQLite database lives.
You just check out the secure-testing repository.  The scripts to
download the package files from the archive mirrors are contained in
it.  They use only open interfaces which are accessible to everyone.

* Javier Fern?ndez-Sanguino Pe?a:
>> Yes, all recent work has been put into idssi.enyo.de/tracker.
>
> Any chance that this information can be placed up at www.debian.org? What
do
> you guys need for that to happen? [1]
The archive metadata mirror currently needs about 500 MB of space (~15
MB per suite and architecture, or something like that).  The database
itself needs about 250 MB peak.  Updating it currently results in
signifcant CPU and I/O load.

I don''t know enough about the load on gluck to tell whether this is a
problem or not.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fern?ndez-Sanguino Pe?a wrote:
> On Thu, Jun 22, 2006 at 07:32:48PM +0200, Moritz Muehlenhoff wrote:
>> Francesco Poli wrote:
>>> I''m not sure I understand correctly.
>>> Are you basically saying that the testing security holes page[1] is
not
>>> accurate anymore?
>> Yes, all recent work has been put into idssi.enyo.de/tracker.
> 
> Any chance that this information can be placed up at www.debian.org? What
do
> you guys need for that to happen? [1]
At our meeting in Feburary[1] we discussed moving the tracker to a
debian address. Most everyone agreed that the address should be
tracker.security.debian.org (I was the only one who thought that was a
too long domain name, but wasn''t going to block it). We discussed
issues
about resources it needs, and how it is currently on a machine of FW''s.
AJ suggested leaving it where it is, with a new URL, and move it when
some of the new .d.o machines come online. FW said that missing pieces
are glue scripts, servinfoke and instructions on how it works. The only
issue that AJ had before putting it on a d.o address was that some of
the language on the front page made the tracker seem too beta. We''ve
since corrected that.

1. Complete meeting notes and IRC log:
http://wiki.debian.org/DebianSecurity/Meetings/2006-02-15

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEnpan9n4qXRzy1ioRAu/5AJ9yg0wlGBwWOVZcXTkyE3lZGFkOyACfcIh0
XCeGgdzYpVDMbHAArxweOzE=tXaJ
-----END PGP SIGNATURE-----

On Sun, 25 Jun 2006 10:30:33 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> >> Not remote, but you should be able to build one with a couple of
> >> "make" invocations.  Something like this:
> >> 
> >>   make update-packages update-testing-security update-volatile all
> >
> > Mmmh, I don''t quite understand: I don''t think I can
login onto the
> > machine where the SQLite database lives.
> 
> You just check out the secure-testing repository.  The scripts to
> download the package files from the archive mirrors are contained in
> it.  They use only open interfaces which are accessible to everyone.
Ah, I didn''t understand what you meant, apparently.

Now, I''m giving a look at  http://svn.debian.org/wsvn/secure-testing/
I cannot find many copyright or permission notices around...

Which license are the scripts and doc and other stuff released under?
I hope you intend them to be DFSG-free!
In order to do that, you have to place appropriate copyright and
permission notices and license texts, you know!

Stuff under lib/python/ seems to be validly released under the GPLv2 or
later (even though I cannot find any copy of the GPLv2 text...).
On the other hand stuff under bin/ seems to lack any copyright
information whatsoever...


-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060625/ffb48031/attachment.pgp

* Francesco Poli:
> Now, I''m giving a look at 
http://svn.debian.org/wsvn/secure-testing/
> I cannot find many copyright or permission notices around...
The source files which actually contain valuable IP has the GPL
boilerplate.

The tracker_service.py file is a border case; it depends on an
unpublished (but GPLed) program called servinvoke.  I''m still looking
for a published replacement, but it seems there isn''t any--servinvoke
is invoked as a CGI script and forwards the request to a long-running
process, buffering input and output so that no client can monopolize
the server process for an arbitrary period of time.

On Wed, 16 Aug 2006 23:02:31 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> > Now, I''m giving a look at 
> > http://svn.debian.org/wsvn/secure-testing/
> > I cannot find many copyright or permission notices around...
> 
> The source files which actually contain valuable IP has the GPL
> boilerplate.
I don''t know what you mean by "valuable I[ntellectual]
P[roperty]".
Do you think that the scripts that I found license-less are not
copyrighted?
I really doubt they can be considered as uncopyrighted...

I would be very pleased to see every piece of software you use to manage
Debian security released in a DFSG-free manner...
> 
> The tracker_service.py file is a border case; it depends on an
> unpublished (but GPLed) program called servinvoke.
[...]

What do you mean by "unpublished (but GPLed)"?

Do you have a copy and was it distributed to you under the GPL?
If this is the case, you can distribute it to anyone you like and even
publish it.

If you do not have a copy, how can you know that it''s GPLed?
Are you trusting someone else who received it under the GPL and told you
so?
Isn''t he/she willing to distribute it to you or to other people?
If not, why?


-- 
But it is also tradition that times *must* and always
do change, my friend.   -- from _Coming to America_
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060818/e4782fe6/attachment.pgp

Francesco Poli wrote:
> > * Francesco Poli:
> > 
> > > Now, I''m giving a look at 
> > > http://svn.debian.org/wsvn/secure-testing/
> > > I cannot find many copyright or permission notices around...
> > 
> > The source files which actually contain valuable IP has the GPL
> > boilerplate.
> 
> I don''t know what you mean by "valuable I[ntellectual]
P[roperty]".
> Do you think that the scripts that I found license-less are not
> copyrighted?
> I really doubt they can be considered as uncopyrighted...
Stop wasting our time, we have work to do.
 
Cheers,
        Moritz

On Sun, 20 Aug 2006 13:32:54 +0200 Moritz Muehlenhoff wrote:
> Francesco Poli wrote:
> > > * Francesco Poli:
> > > 
> > > > Now, I''m giving a look at 
> > > > http://svn.debian.org/wsvn/secure-testing/
> > > > I cannot find many copyright or permission notices around...
> > > 
> > > The source files which actually contain valuable IP has the GPL
> > > boilerplate.
> > 
> > I don''t know what you mean by "valuable I[ntellectual]
P[roperty]".
> > Do you think that the scripts that I found license-less are not
> > copyrighted?
> > I really doubt they can be considered as uncopyrighted...
> 
> Stop wasting our time, we have work to do.
Moritz, it was not my intention to waste anyone''s time.
I''m actually surprised to hear that releasing software in a DFSG-free
manner is called "a waste of time".

By reading a recent thread in the list archives, I see that you
complained of not being listened by other people, when you pointed out
security issues.  You stated that you raised security concerns on
debian-devel regarding some packages (like mantis) that were going to be
included in Debian; despite your concerns, those packages were uploaded
anyway; people didn''t seem to care about security.
I am in a situation very similar to yours, but with respect to freeness
issues, rather than security.  I pointed out a freeness issue and the
answer was "stop wasting our time".

IMHO, both security and freeness are very important aspects for Debian
and should *not* be overlooked or neglected.

I hope I have clarified.


-- 
But it is also tradition that times *must* and always
do change, my friend.   -- from _Coming to America_
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060826/3b333b43/attachment.pgp

* Francesco Poli:

[servinvoke is still unpublished]
> If not, why?
I''m still looking for a replacement.  I don''t want to add
anything to
the pool of insecure C programs.  servinvoke already had a buffer
overflow bug. 8-/