[Secure-testing-team] DTSA announcements
Stefan Fritsch
sf at sfritsch.de
Sat Sep 1 12:44:52 UTC 2007
Hi,
I wrote some scripts to determine which issues are fixed by migration,
DTSA, or removal from testing. Issues that are "fixed" by downgrading
to unimportant or not-affected are not included. Currently, the output
looks like this:
DTSA:
=====
centerim 4.22.1-2lenny1:
DTSA-55-1 : centerim - arbitrary code execution
CVE-2007-3713: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3713
Migrated from unstable:
=======================
libpam-usb 0.4.1-1:
<no CVE yet> : pam usb wrongly allows authentication without password in ssh sessions (TEMP-0000000-000573)
streamripper 1.62.2a-1:
CVE-2007-4337: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4337
Removed from testing:
=====================
acidlab:
CVE-2006-1590: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1590
I think we could create some daily or weekly summary mails from this
data. Is this a useful format? Should we include the long descriptions
from the CVEs? I think those are too long. Or is there a source for short
descriptions for CVEs that I don't know about?
For removed packages, there is the problem that (AFAIK) the release team
sometimes removes packages temporarily to ease transitions. This could be
confusing for the users. Should the information about removed packages be
included?
Should we include other information, like scores from NVD or our priorities?
In the last week, there have been 0-4 issues fixed per day. Do we want daily
or weekly summary mails?
For now, the daily output of the script is at
http://www.sfritsch.de/~dst/
If you notice any inconsistencies, please tell me.
Cheers,
Stefan
More information about the Secure-testing-team
mailing list