[Secure-testing-team] "FIXES:" and "FIXED-BY:" directives

Moritz Muehlenhoff jmm at inutil.org
Mon Oct 17 23:00:36 UTC 2005 

Florian Weimer wrote:
> >> It's just two more lines per DSA.
> >
> > Well yes, but collection the information for these lines is the time-consuming
> > part :-)
> 
> Don't think so.  For current DSAs, the .dsc files are still on
> security.debian.org, so it's probably possible to automate this to
> some extent.  Only for historic DSAs, things get a bit messy.
> 
> In general, the "will be fixed soon" part for testing/unstable is much
> harder. 8-)

Ahh, I thought you wanted to add manual Sarge/Woody tracking for all
the entries in CAN/list.
 
> The main question is whether the [sarge]/[woody] entries in DSA/list
> will bother you.

For me, not at all.
 
> > What syntax did you use to mark an try as as the Woody or Sarge fix? Do
> > you track the Sarge/Woody fixes in CAN/list or do you still keep them in
> > DSA/list?
> 
> I'm not sure if I understand your question, but here's an example.
> 
> The top of DSA/list looks like this.
> 
> [13 Oct 2005] DSA-865-1 hylafax - insecure temporary files
> 	FIXES: CAN-2005-3069
> 	[woody] - hylafax 1:4.1.1-3.2
> 	[sarge] - hylafax 1:4.2.1-5sarge1
> 	NOTE: not fixed in testing at time of DSA (missing arm)
> 
> The corresponding entry in CAN/list is:
> 
> CAN-2005-3069 (xferfaxstats in HylaFax 4.2.1 and earlier allows local users to ...)
> 	{DSA-865-1}
> 	- hylafax 1:4.2.2+rc1 (bug #329384; low)
> 
> | Package  Type   Release    Fixed Version  Urgency  Origin   Debian Bugs
> | hylafax source (unstable) 1:4.2.2+rc1     low               329384
> | hylafax source sarge      1:4.2.1-5sarge1 unknown DSA-865-1
> | hylafax source woody      1:4.1.1-3.2     unknown DSA-865-1
> 
> Simple enough, I think.

Absolutely.
 
> If look at the DSA on the web, you'll notice that we don't have
> vulnerability status information for testing/unstable anymore, you
> have to look at the corresponding CVE entry.  I don't think this is a
> problem.  (I tried to move relevant NOTE:s from the DSA to the CAN
> file.)

I agree, the canonical information should come from security.debian.org
anyway and the few cases where our information differs are negligible
IMO.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list