[Secure-testing-team] "FIXES:" and "FIXED-BY:" directives

Moritz Muehlenhoff jmm at inutil.org
Thu Oct 13 13:55:51 UTC 2005 

[This must've slipped through]

Florian Weimer wrote:
> I've added new FIXES: and FIXED-BY: directives to the Python code (but
> not to the list files, of course -- this is up to you).
>
> This allows you to write:
> 
> [September 15th, 2005] DTSA-17-1 lm-sensors - insecure temporary file
> 	FIXES: DSA-814-1
> 	- lm-sensors 1:2.9.1-6etch1
> 
> in DTSA/list, and
> 
> [15 Sep 2005] DSA-814-1 lm-sensors - insecure temporary file
> 	FIXES: CAN-2005-2672
> 	[sarge] - lm-sensors 1:2.9.1-1sarge2
> 	[woody] - lm-sensors not-affected (woody not affected according to DSA)
> 
> in DSA/list.  CAN/list just contains:
> 
> CAN-2005-2672 (pwmconfig in LM_sensors before 2.9.1 creates temporary files ...)
> 	- lm-sensors 1:2.9.1-7 (bug #324193; medium)
>
> What do you think?  Is this feature useful?  It helps to avoid data
> duplication.

I think the basic principle is useful and needed. IMO the fix for sid should be
exclusively kept in CAN/list and not further duplicated in DSA/list, as these tend
to get out of sync, when people forget to adapt them in DSA/list as well.

This somehow already exists (the part in the curly brackets), but IMO we should
apply it to the list files as well and patch checklist if necessary.
You proposed FIXES:, but I think as it's already present in {}, I don't see much
advantage, but I don't have a real opinion on it.

So, a DSA/list entry would only consist of e.g.:

[13 Oct 2005] DSA-835-1 hylafax - insecure temporary files
        {CAN-2005-3069}
        NOTE: not fixed in testing at time of DSA (missing arm)

The format of the DTSA entries wouldn't need to be changed, as it already
only references the etch fixes anyway.

Wrt your other suggestion, to track the versions of the fixes for sarge and
woody as well; IMO this would be quite a lot of additional work and it would
only be fruitful if done in coordination with the stable security team.

> ("FIXED-BY:" is needed because you cannot reference the FAKE-* entries
> in the other direction; they haven't got a real name.)

The only direction is from DSA->CAN/list, isn't it? For it this shouldn't
matter, as all DSAs (with backup-manager being the one exception of the rule)
have CVE assignments and for DTSAs we should hold to the same rule.
 
Cheers,
        Moritz

More information about the Secure-testing-team mailing list