Hi Neil, On Fri, Dec 10, 2021 at 11:06:36AM +0000, Neil Williams wrote: > On Wed, 22 Sep 2021 15:34:32 -0400 "Roberto C. Sanchez" <robe...@debian.org> > wrote: > > Package: security-tracker > > Severity: normal > > > > > > It appears that when parsing data/CVE/list and a URL is encountered, > > that extraneous characters can end up included in the link, which > > can result in the actual link not reflecting the intended link. For > > example, https://security-tracker.debian.org/tracker/CVE-2020-13230 > > links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch > > but incorrectly includes the closing parenthsis that denotes the end of > > the note text as part of the link. > > This looks like it actually needs an improvement to the syntax of that CVE. > > The URL would typically be part of a NOTE: line, not part of the comment. > > e.g. current: > > CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not > immediately ...) > - cacti 1.2.11+ds1-1 > [buster] - cacti 1.2.2+ds1-2+deb10u3 > [stretch] - cacti <no-dsa> (Minor issue, Partial patch > https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch) > NOTE: https://github.com/Cacti/cacti/issues/3343 > > Proposed: > > > CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not > immediately ...) > - cacti 1.2.11+ds1-1 > [buster] - cacti 1.2.2+ds1-2+deb10u3 > [stretch] - cacti <no-dsa> (Minor issue, Partial patch) > NOTE: https://github.com/Cacti/cacti/issues/3343 > NOTE: https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch
Acatually those references to incomplete (and in some cases not finalized backported packages/debdiffs) should (IMHO) not appear at all, more even in the above particular case of an update which was started and sthen stopped and the patch is only partial completed. Maybe LTS team wants to just track somewhere else when an update has started, but for some reason the upload was not finalized or there are issues with the update. But as I understand LTS team is currently investigating that packaging updates are all done in separate git repositories where I expect such WIP will be tracken then as well. The underlying bug might still be fixed at some point, there was a similar issue in past for the NOTE part as well, which if I remember correctly got fixed. Regards, Salvatore
