[Secure-testing-team] Bringing the tracker into shape for Woody and
Sarge
Moritz Muehlenhoff
jmm at inutil.org
Mon Dec 26 01:49:08 UTC 2005
Hi,
since about two weeks ago I've converted all remaining DSA entries to
the new format of the syntax and I've been rewriting some older entries
from CVE/list to the new syntax as well. (the latter one is done back
to early 2003). So now the time is ripe to make full use of the
http://idssi.enyo.de/tracker tracker for tracking stable and oldstable.
So, how does this work:
Every package that has a vulnerability in sid does automatically have
derived "unfixed" states for every distribution suite it is part of.
The only thing we need to track manually are those cases, where a package
is present in a distribution, but it is not vulnerable for some reasons.
This is done with <not-affected> tags:
CVE-2005-3138 (Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows ...)
[woody] - bugzilla <not-affected> (Only Bugzilla >= 2.18 is affected)
[sarge] - bugzilla <not-affected> (Only Bugzilla >= 2.18 is affected)
- bugzilla 2.18.4-1 (bug #331206; medium)
The distribution tags are added to the relative CVE/list entry. If there's
a DSA for an issue for stable it gets added to DSA/list as usual and the
provisional entries in CVE/list can be removed. So, if there were a DSA for
Bugzilla that would cover CVE-2005-3138 we could remove the [woody] and [sarge]
lines. This prevents cluttering the CVE/list too much.
So, right now we need to clean up the currently open data a bit. If you have
some time please go through the lists at
http://idssi.enyo.de/tracker/status/release/stable and
http://idssi.enyo.de/tracker/status/release/oldstable and check, whether
some are false positives and some are possibly already resolved.
As I'm a secretary member of the stable security team since last week I'll
strive to maintain the stable/oldstable information closely, help is of course
very welcome.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list