Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
* [Wed, Apr 03, 2024 at 11:11:20PM +0100] Samuel Henrique: On the proposed solution I also mention that we can use the "(free text comment)" section to indicate that, while sticking to "not-affected", this would simplify things as no new value is needed. But parsing the cases where only the sources contain the vulnerable code might be a bit harder. Not only it's the parsing harder, but it also is a "lesser" warning than an "affected" status. I'm curious though as to what is the usecase of that, no other Linux distribution specifies the case where only the source carries the vulnerability. My impression is that Debian currently does, even if imperfectly, by marking the package as vulnerable and setting the unimportant bit. What would be the need for this as a user? If this is a need you have, could you clarify it, please? Definitively it isn't a need, I would call it an expectation. I used to recompile a lot of Debian packages, usually for backporting, and I guess I've always assumed that a package marked not-vulnerable would not bring the vulnerability back when, e.g., linked against a previous version of a library. Or, e.g., I would not consider not-vulnerable a package shipping a malicious example script. But I concede that creating a binary-only tag has its own issues. For example, a vulnerability could only affect some architectures, and that means you should now differentiate not only per package name and "form" (source or binary), but also per architecture. Cheers, Gian Piero.
[SECURITY] [DSA 5655-1] cockpit security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5655-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 04, 2024https://www.debian.org/security/faq - - Package: cockpit CVE ID : CVE-2024-2947 It was discovered that Cockpit, a web console for Linux servers, was susceptible to arbitrary command execution if an administrative user was tricked into opening an sosreport file with a malformed filename. For the stable distribution (bookworm), this problem has been fixed in version 287.1-0+deb12u1. We recommend that you upgrade your cockpit packages. For the detailed security status of cockpit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cockpit Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYO+CkACgkQEMKTtsN8 Tjah6w/+KMkDnUZXuYjUaF6XZLi05PEH8S60u4MYNu0kDIgNAaxfOvwJC9FiIOXf BWDA8q3GofBgAozeHpBIr/c654yn8mCu8/w6eX/j4eDK+5Obj+BGUBvBNxOt2hZK 7rPmv7Dklz0mF0yFqGG9f+/MOT3HZU4tN4CZK37kbFUBvIbgf1X3vWVbJrdWBn/6 yI6O7bogx4B0eG233Yc7jnSNTU6V2PfD9Eo8PpxwUnLB6ybgfhcgjmxbyTRp8UwK gfvon2XDI1BpcO7EJUf1XssNm7E7LdH8ZgWclOL7mHLym4nL9vOAPHY5ST1wfGlw eTuvIYda/lOUc2Tu5K/r5YaWczVfNG4hhIAOAtJfHOAbog1+pJ73Ic4MPDCPkMyV 994xEwyyFo5a1xJl5+BGnXjAuEQDJ8Jf7W9axI9TNqmsQusEt77jr17o0gDiX9JG idXh60sPLMoXO/SvzzI7Yw6SGOMBdu+q1QzoXezPa8ZU14ihXswbM/m01J8pg9ab xA8RHVsyHMfF8L6YYbTLIqpMzhpDsxEeHF7MDvbMAMwKPLOM3nxZe4eC9/7glrHS 5VHlWzpJ+V8H/ndCvCkkAKDTEEAxQEmrVDXJxP5hzRM4BtX4TlzAFWZDF/aw8CLw 71x/Ene8Kp7SaNfNZfBhv9D2LZ95Eec38bFQoNT6+fphei3xv6M= =cD4W -END PGP SIGNATURE-
External check
CVE-2024-1139: missing from list CVE-2024-2653: TODO: check CVE-2024-2700: missing from list CVE-2024-27316: missing from list CVE-2024-27919: missing from list CVE-2024-28182: missing from list CVE-2024-2971: TODO: check CVE-2024-30255: missing from list CVE-2024-31309: missing from list CVE-2024-31419: TODO: check CVE-2024-31420: TODO: check CVE-2024-3205: TODO: check CVE-2024-3296: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.