[Secure-testing-team] DTSA announcements

Moritz Muehlenhoff jmm at inutil.org
Sun Sep 2 18:35:37 UTC 2007 

Stefan Fritsch wrote:
> Hi,
> 
> I wrote some scripts to determine which issues are fixed by migration, 
> DTSA, or removal from testing. Issues that are "fixed" by downgrading 
> to unimportant or not-affected are not included. Currently, the output 
> looks like this:

Very nice. If generated daily, this can replace the DTSA mails fully.
 
> DTSA:
> =====
> 
> centerim 4.22.1-2lenny1:
> DTSA-55-1    : centerim - arbitrary code execution
> CVE-2007-3713: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3713
> 
> 
> Migrated from unstable:
> =======================
> 
> libpam-usb 0.4.1-1:
> <no CVE yet> : pam usb wrongly allows authentication without password in ssh sessions (TEMP-0000000-000573)

I would omit the TEMP-foo, it's internal to the tracker and doesn't provide
additional useful information.

> Removed from testing:
> =====================
> 
> acidlab:
> CVE-2006-1590: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1590
> 
> 
> I think we could create some daily or weekly summary mails from this 
> data. Is this a useful format? Should we include the long descriptions 
> from the CVEs? I think those are too long. Or is there a source for short 
> descriptions for CVEs that I don't know about?

I believe the link is enough. You could also like to the Debian bugs if available.

> For removed packages, there is the problem that (AFAIK) the release team
> sometimes removes packages temporarily to ease transitions. This could be
> confusing for the users. Should the information about removed packages be 
> included?

Yes, but with a note, that people will need to remove the package locally
as well. OTOH, there can be false positives if a package has been removed
for transitions or something similar.
 
> Should we include other information, like scores from NVD or our priorities?

I don't recommend  that. The NVD scores are weird and ours are only used for
priorization so far.
 
> In the last week, there have been 0-4 issues fixed per day. Do we want daily 
> or weekly summary mails?

IMO daily.
 
> For now, the daily output of the script is at
> http://www.sfritsch.de/~dst/
> If you notice any inconsistencies, please tell me.

Does it handle "retroactive" fixes? I.e. if a package has been fixed a week
ago and it has only been added to the tracker later.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list