[Secure-testing-team] Introducing <no-dsa>
Florian Weimer
fw at deneb.enyo.de
Wed Jan 4 18:16:13 UTC 2006
* Moritz Muehlenhoff:
> Florian Weimer wrote:
>> > [distribution-tags] - packagename <no-dsa> (This explains, why there is no DSA)
>>
>> I'm wondering if this is the correct format. Wouldn't it make sense
>> to generate a web page for http://www.debian.org/security/ from this
>> data? If yes, you might want to have a bit more space for
>> explanations than that.
>
> At a later stage this could be used to generate
> http://www.debian.org/security/nonvulns-sarge and the like, yes. These
> explanations are also only a single line. If there's the need for a
> more verbose form the bug should cover it anyway.
Oh, maybe we should tweak the syntax so that a reference to a bug
report can be included.
> This would be an example:
> CVE-2005-4357 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when ...)
> [sarge] - phpbb2 <no-dsa> (Affects only a config option that is inherently insecure)
Okay, I've added something to the parser. The information is not
really included in vulnerability calculations, yet. I'm not really
sure how to handle this in debsecan.
> So, maybe debsecan could list these issues as "unfixed for a reason"? Or you
> simply leave them as unfixed, but please ensure that the Python lib doesn't
> choke about the new syntax element.
Sure, please give it a try.
More information about the Secure-testing-team
mailing list