Re: How to close open security issues
Nikolaus Rath wrote: Hello, http://packages.qa.debian.org/f/fuse.html reports 4 open security issues. I prepared an upload that fixes them, but how do I tell the package tracking system that they are fixed? There seem to be no associated debian BTS numbers. I've added fixed version info to the debian security tracker [0]. You will need to fix these issues in squeeze and lenny (via security announcement or proposed-update) if you to eliminate that message from your package page. Follow [1] to send a ticket with the proposed fix to the security team and they'll tell you what to do from there. Best wishes, Mike [0] http://security-tracker.debian.org [1] http://wiki.debian.org/rt.debian.org#Security_Team -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110604161801.6f946c56.michael.s.gilb...@gmail.com
Re: How to close open security issues
On 05/24/2011 12:26 AM, sils wrote: Hi, Paul, please correct me if I was wrong.. There are a bug in BTS related with 3 of these CVEs http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624551 http://security-tracker.debian.org/tracker/CVE-2011-0541 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0542 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0543 = #624551 I found out that It would be needed to add, also, in debian/changelog the mention of this bug number. Just, hope this will help. Kind regards, Sils Sure. The changelog entry can be like this: * Fixed CVE-2010-3879 CVE-2011-0541, CVE-2011-0542, CVE-2011-0543: an unprivileged user could unmount arbitrary locations via symlink attack due to a race condition (Closes: #624551, #602333). Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ddb8396.3050...@debian.org
Re: How to close open security issues
Hi! Am 23.05.2011 18:26, schrieb sils: There are a bug in BTS related with 3 of these CVEs [..] I found out that It would be needed to add, also, in debian/changelog the mention of this bug number. Please also contact the security team, to coordinate a securty update for them, as it seems that the versions in oldstable and stable are affected by those CVEs, too. Best regards, Alexander -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ddb8c6e.8080...@debian.org
How to close open security issues
Hello, http://packages.qa.debian.org/f/fuse.html reports 4 open security issues. I prepared an upload that fixes them, but how do I tell the package tracking system that they are fixed? There seem to be no associated debian BTS numbers. Thanks, -Nikolaus -- »Time flies like an arrow, fruit flies like a Banana.« PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aaeds9y6@inspiron.ap.columbia.edu
Re: How to close open security issues
On Mon, May 23, 2011 at 11:39 PM, Nikolaus Rath nikol...@rath.org wrote: http://packages.qa.debian.org/f/fuse.html reports 4 open security issues. I prepared an upload that fixes them, but how do I tell the package tracking system that they are fixed? There seem to be no associated debian BTS numbers. You can find the associated bug numbers on the individual CVEs: http://security-tracker.debian.org/tracker/CVE-2010-3879 = #602333 http://security-tracker.debian.org/tracker/CVE-2011-0541 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0542 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0543 = #624551 Be sure to mention the CVE numbers in debian/changelog for the upload that fixes them. Also check out the sections of the devref dealing with security issues: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4 http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktikzftkkhkanr0+sz1mu5qq8pdo...@mail.gmail.com
Re: How to close open security issues
Hi, Paul, please correct me if I was wrong.. There are a bug in BTS related with 3 of these CVEs http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624551 http://security-tracker.debian.org/tracker/CVE-2011-0541 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0542 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0543 = #624551 I found out that It would be needed to add, also, in debian/changelog the mention of this bug number. Just, hope this will help. Kind regards, Sils On 05/23/2011 06:03 PM, Paul Wise wrote: On Mon, May 23, 2011 at 11:39 PM, Nikolaus Rath nikol...@rath.org wrote: http://packages.qa.debian.org/f/fuse.html reports 4 open security issues. I prepared an upload that fixes them, but how do I tell the package tracking system that they are fixed? There seem to be no associated debian BTS numbers. You can find the associated bug numbers on the individual CVEs: http://security-tracker.debian.org/tracker/CVE-2010-3879 = #602333 http://security-tracker.debian.org/tracker/CVE-2011-0541 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0542 = #624551 http://security-tracker.debian.org/tracker/CVE-2011-0543 = #624551 Be sure to mention the CVE numbers in debian/changelog for the upload that fixes them. Also check out the sections of the devref dealing with security issues: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4 http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security signature.asc Description: OpenPGP digital signature