Processed: Re: Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Processing control commands: > tags -1 - pending Bug #610220 [security-tracker] Show URLs in TODO/NOTE as hyperlinks in the web view Removed tag(s) pending. -- 610220: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b610220.14105893491552.transcr...@bugs.debian.org
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Control: tags -1 - pending Hi Holger, On Fri, Sep 12, 2014 at 12:19:06PM +0200, Holger Levsen wrote: > attached is a patch to lib/python/web_support.py which turns the notes (used > in CVEs) into hyperlinks - if they start with http(s):// > > Please tell me whether it's ok to commit this. I had a look at this patch. It can only address isolated URLs in the notes this way. We usually use this in other ways, one example is that was Florian mentioned in the first message: Note: see https:// which should turn into see http://www.example.com/info.html Other examples were we use the free form extensively is when we document which commits introduced a given problem, where fixed, etc: I'm adding also the corresponding note, as this might change when looking next time into it: - https://security-tracker.debian.org/tracker/CVE-2014-3620 NOTE: http://curl.haxx.se/docs/adv_20140910B.html NOTE: Introduced by https://github.com/bagder/curl/commit/85b9dc8023 - https://security-tracker.debian.org/tracker/CVE-2014-3145 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 - https://security-tracker.debian.org/tracker/CVE-2014-3122 NOTE: Introduced by https://git.kernel.org/linus/b291f000393f5a0b679012b39d79fbc85c018233 NOTE: Fixed by https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c (v3.15-rc1) the last one is particulary interessant as it contains normal text before, and after a reference which should be turned into a link. There is one other problematic example with the patch, where we have notes starting with http(s), but adding explanations/further text afterwards: - https://security-tracker.debian.org/tracker/CVE-2014-6387 NOTE: http://www.mantisbt.org/bugs/view.php?id=17640 NOTE: http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch) NOTE: http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch) So we would need something more complicated here, isolating first the urls in the text and converting that part, but keeping the surrounding ones. Thanks for also looking into this one! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913062217.GA12503@eldamar.local
Re: RFC: Invert ordering of issues in source package view: newest should be up
Hi Holger, On Sat, Sep 13, 2014 at 01:35:06AM +0200, Holger Levsen wrote: > Hi, > > I think this is clearly a bugfix ;-) Please comment. > > Both open and resolved issues will be inverse sorted, so that newest CVEs > will > be on top of the list. > > cheers, > Holger > > commit dd7b75472e00cea9759eb6554decf26c6fe8eb11 > Author: Holger Levsen > Date: Sat Sep 13 01:28:00 2014 +0200 > > Invert ordering of issues in source package view: newest should be up. > > diff --git a/lib/python/security_db.py b/lib/python/security_db.py > index 8580d5b..b15924e 100644 > --- a/lib/python/security_db.py > +++ b/lib/python/security_db.py > @@ -1690,7 +1690,8 @@ class DB: > FROM bugs, package_notes as p > WHERE p.bug_name = bugs.name > AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%') > -AND p.package = ?""", (package,)) > +AND p.package = ? > +ORDER BY bugs.release_date DESC""", (package,)) This changes the ordering in the 'Security announcements section, ordering it by "release date" of the DSA/DLA, right? So for example file will show with your patch: DSA / DLA Description DLA-50-1 file - security update DSA-3021-1 file - security update DLA-27-1 file - security update [...] This looks like a good change to do, so "ack" at least from my side to do so. But above you mention to invert also the open and resolved CVEs by descending order? Why do you like to do that? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913045201.GA1701@eldamar.local
Processed: Re: Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)
Processing control commands: > tags -1 - pending Bug #742855 [security-tracker] security-tracker: tabular view should always be by release order Removed tag(s) pending. -- 742855: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742855 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b742855.141058070224860.transcr...@bugs.debian.org
Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)
Control: tags -1 - pending Hi, On Sat, Sep 13, 2014 at 01:32:38AM +0200, Holger Levsen wrote: > Hi, > > commit baa7d44e460efe2b24e7b029633701cd29986d0d > Author: Holger Levsen > Date: Sat Sep 13 01:23:35 2014 +0200 > > Sort releases correctly in tabular view. (Closes: #742855) I tested the patch in my local instance. It does sort now the CVEs in descending order, which was not what I meant. We had so far the oldest CVEs on top which this patch would changes. My change request however was about something else: In the tabular view, from left to right, it should be sorted by releases and not having a mix. libspring-java as by now, might change in future, shows right now: Bug | jessie | sid| wheezy | Description --- CVE-2014-0225 | fixed | fixed | vulnerable | Information disclosure via SSRF CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework directory traversal --- This should be ordered (and for future releases): Bug | wheezy | jessie | sid| Description --- CVE-2014-0225 | vulnerable | fixed | fixed | Information disclosure via SSRF CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework directory traversal --- So "(squeeze) <= wheezy <= jessie <= sid", and for future releases then "(squeeze) <= wheezy <= jessie <= X <= sid" in the collumns (and keep the ordering from oldest to newest CVE). Thanks for looking into this! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913035812.GA32080@eldamar.local
Bug#642987: Display end-of-live information in the web view. (Closes: #642987)
Hi, this patch I like the least, but it works. Probably it would be better to use bug status instead of urgency, not sure. I think this is an artefact of trying status... +++ b/lib/python/security_db.py CHECK (status IN ('vulnerable', 'fixed', 'unknown', 'undetermined', - 'partially-fixed', 'todo')), + 'partially-fixed', 'todo', 'end-of-life')), I left it in for now. commit 07399db5abecc0e5b79b70f2a0b47bb3519dabdd Author: Holger Levsen Date: Sat Sep 13 02:02:42 2014 +0200 Display end-of-live information in the web view. (Closes: #642987) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 48ad599..bb1411a 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -419,6 +419,8 @@ data source.""")], else: rel = '(unstable)' urgency = str(n.urgency) + if urgency == 'end-of-life': + urgency = self.make_red('end-of-life') if n.fixed_version: ver = str(n.fixed_version) if ver == '0': diff --git a/lib/python/bugs.py b/lib/python/bugs.py index 15908dc..7258be7 100644 --- a/lib/python/bugs.py +++ b/lib/python/bugs.py @@ -24,7 +24,7 @@ class Urgency(debian_support.PseudoEnum): pass def listUrgencies(): urgencies = {} -urgs = ('high', 'medium', 'low', 'unimportant', 'not yet assigned') +urgs = ('high', 'medium', 'low', 'unimportant', 'end-of-life', 'not yet assigned') for u in range(len(urgs)): urgencies[urgs[u]] = Urgency(urgs[u], -u) Urgency.urgencies = urgencies @@ -579,7 +579,7 @@ class FileBase(debian_support.PackageFile): comments.append(('NOTE', r)) elif v == 'end-of-life': pkg_notes.append(PackageNoteParsed - (p, '0', 'unimportant', + (p, None, 'end-of-life', release=release)) if d: # Not exactly ideal, but we have to diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 4a4a2b7..06e3f11 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -273,7 +273,7 @@ class DB: release TEXT NOT NULL, status TEXT NOT NULL CHECK (status IN ('vulnerable', 'fixed', 'unknown', 'undetermined', - 'partially-fixed', 'todo')), + 'partially-fixed', 'todo', 'end-of-life')), reason TEXT NOT NULL, PRIMARY KEY (bug_name, release))""") @@ -1275,7 +1275,8 @@ class DB: AND n.id = vulnlist.note ORDER BY vulnlist.package""")): if fixed_version == '0' or urgency == 'unimportant' \ - or kind not in ('source', 'binary', 'unknown'): +or urgency == 'end-of-life' \ +or kind not in ('source', 'binary', 'unknown'): continue # Normalize FAKE-* names a bit. The line number (which @@ -1470,7 +1471,8 @@ class DB: # packages as vulnerable. (If unstable_fixed == '0', # release-specific annotations cannot create # vulnerabilities, either.) -if total_urgency == 'unimportant' or unstable_fixed == '0': +if total_urgency == 'unimportant' or unstable_fixed == '0' \ +or total_urgency == 'end-of-life': continue if unstable_fixed is None: cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)
Hi, commit b22f1ba0cd9499e716f7b729f546a98bd4950dda Author: Holger Levsen Date: Sat Sep 13 01:47:11 2014 +0200 Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index fb3fd27..48ad599 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -545,19 +545,18 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) pkg = path[0] def gen_versions(): -for (releases, version) in self.db.getSourcePackageVersions( -self.db.cursor(), pkg): -yield ', '.join(releases), version +for (release, version) in self.db.getSourcePackageVersions( +self.db.cursor(), pkg): +yield release, version def gen_bug_list(lst): for (bug, description) in lst: yield self.make_xref(url, bug), description suites = () -for (releases, version) in self.db.getSourcePackageVersions( +for (release, version) in self.db.getSourcePackageVersions( self.db.cursor(), pkg): -for r in releases: -if r not in suites: -suites = suites + (r,) +if release not in suites: +suites = suites + (release,) def gen_summary(bugs): for (bug, description) in bugs: diff --git a/lib/python/security_db.py b/lib/python/security_db.py index b15924e..4a4a2b7 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -432,6 +432,14 @@ class DB: return -1 self.db.createscalarfunction("release_to_number", release_to_number, 1) +subreleases = ['', 'security', 'lts'] +def subrelease_to_number(u): +try: +return subreleases.index(u) +except ValueError: +return -1 +self.db.createscalarfunction("subrelease_to_number", subrelease_to_number, 1) + def release_name(release, subrelease, archive): if archive <> 'main': release = release + '/' + archive @@ -1566,14 +1574,13 @@ class DB: """A generator which returns tuples (RELEASE-LIST, VERSION), the available versions of the source package pkg.""" -for (releases, version) in cursor.execute( -"""SELECT string_list(release) AS releases, version -FROM (SELECT release, version FROM source_packages +for (release, version) in cursor.execute( +"""SELECT release_name(release, subrelease, archive) +AS release, version FROM source_packages WHERE name = ? AND release IN ('squeeze', 'wheezy', 'jessie', 'sid') -ORDER BY release_to_number(release)) -GROUP BY version""", (pkg,)): -yield releases.split(', '), version +ORDER BY release_to_number(release), subrelease_to_number(subrelease)""", (pkg,)): +yield release, version def getBinaryPackageVersions(self, cursor, pkg): """A generator which returns tuples (RELEASE-LIST, cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)
Hi, commit baa7d44e460efe2b24e7b029633701cd29986d0d Author: Holger Levsen Date: Sat Sep 13 01:23:35 2014 +0200 Sort releases correctly in tabular view. (Closes: #742855) diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 9a25ad6..8580d5b 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -1682,7 +1682,7 @@ class DB: AND (bugs.name LIKE 'CVE-%' OR bugs.name LIKE 'TEMP-%') GROUP BY bugs.name, bugs.description, sp.name) WHERE vulnerable = ? AND unimportant = ? -ORDER BY name""", (pkg, vulnerable, unimportant)) +ORDER BY name DESC""", (pkg, vulnerable, unimportant)) def getDSAsForSourcePackage(self, cursor, package): return cursor.execute( cheers, Holger signature.asc Description: This is a digitally signed message part.
RFC: Invert ordering of issues in source package view: newest should be up
Hi, I think this is clearly a bugfix ;-) Please comment. Both open and resolved issues will be inverse sorted, so that newest CVEs will be on top of the list. cheers, Holger commit dd7b75472e00cea9759eb6554decf26c6fe8eb11 Author: Holger Levsen Date: Sat Sep 13 01:28:00 2014 +0200 Invert ordering of issues in source package view: newest should be up. diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 8580d5b..b15924e 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -1690,7 +1690,8 @@ class DB: FROM bugs, package_notes as p WHERE p.bug_name = bugs.name AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%') -AND p.package = ?""", (package,)) +AND p.package = ? +ORDER BY bugs.release_date DESC""", (package,)) def getTODOs(self, cursor=None, hide_check=False): signature.asc Description: This is a digitally signed message part.
Re: small misc fixes
Hi Holger, On Fri, Sep 12, 2014 at 03:14:57PM +0200, Holger Levsen wrote: > Hi, > > On Freitag, 12. September 2014, Holger Levsen wrote: > > attached are three small no brainer fixes I'd like to apply, please confirm > > thanks to Thijs, this diff even got smaller and better, see attached. > > I've verified that the code still works nicely. > > May I commit? (And test git-svn committing... *lalala*) Thanks for posting the diff. I have activated the changes for the security-tracker, so they are live now. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140912150026.GA24295@eldamar.local
Re: small misc fixes
Hi, On Freitag, 12. September 2014, Thijs Kinkhorst wrote: > Looks good to me. I've commited these now. > Personally, I'd be fine with you just committing your stuff. People will > be looking at commit messages anyway. And in case of trouble things are > easily rolled back... I could do that, but would like to have an ack from other people here first, mostly Florian. Raphael suggested me to post patches to the list first, so thats why I'm doign this atm... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: small misc fixes
On Fri, September 12, 2014 15:14, Holger Levsen wrote: > Hi, > > On Freitag, 12. September 2014, Holger Levsen wrote: >> attached are three small no brainer fixes I'd like to apply, please >> confirm > > thanks to Thijs, this diff even got smaller and better, see attached. > > I've verified that the code still works nicely. > > May I commit? (And test git-svn committing... *lalala*) Looks good to me. Personally, I'd be fine with you just committing your stuff. People will be looking at commit messages anyway. And in case of trouble things are easily rolled back... Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/f431f11208e9047827d2952d01cf1bb0.squir...@aphrodite.kinkhorst.nl
Re: small misc fixes
Hi, On Freitag, 12. September 2014, Holger Levsen wrote: > attached are three small no brainer fixes I'd like to apply, please confirm thanks to Thijs, this diff even got smaller and better, see attached. I've verified that the code still works nicely. May I commit? (And test git-svn committing... *lalala*) cheers, Holger Index: lib/python/bugs.py === --- lib/python/bugs.py (Revision 28738) +++ lib/python/bugs.py (Arbeitskopie) @@ -886,8 +886,6 @@ return ("%s-%02d-%02d" % (year, month, int(day)), name, desc) def finishBug(self, bug): -# Convert all package notes to notes for etch (testing). -testing = debian_support.internRelease("etch") for n in bug.notes: if n.release is None: self.raiseSyntaxError( Index: lib/python/security_db.py === --- lib/python/security_db.py (Revision 28738) +++ lib/python/security_db.py (Arbeitskopie) @@ -424,7 +424,7 @@ return 999 self.db.createscalarfunction("urgency_to_number", urgency_to_number, 1) -releases = ['potato', 'woody', 'sarge', 'etch', 'lenny', 'squeeze', 'wheezy', 'sid'] +releases = ['potato', 'woody', 'sarge', 'etch', 'lenny', 'squeeze', 'wheezy', 'jessie', 'sid'] def release_to_number(u): try: return releases.index(u) Index: bin/tracker_service.py === --- bin/tracker_service.py (Revision 28738) +++ bin/tracker_service.py (Arbeitskopie) @@ -624,7 +624,7 @@ H2('Security announcements'), make_table(gen_bug_list(self.db.getDSAsForSourcePackage (self.db.cursor(), pkg)), -caption=('DSA', 'Description'), +caption=('DSA / DLA', 'Description'), replacement='No known security announcements.') ]) signature.asc Description: This is a digitally signed message part.
small misc fixes
Hi, attached are three small no brainer fixes I'd like to apply, please confirm :) cheers, Holger Index: lib/python/bugs.py === --- lib/python/bugs.py (Revision 28738) +++ lib/python/bugs.py (Arbeitskopie) @@ -886,8 +886,9 @@ return ("%s-%02d-%02d" % (year, month, int(day)), name, desc) def finishBug(self, bug): +# FIXME: it seems wrong to hardcode the testing name here... # Convert all package notes to notes for etch (testing). -testing = debian_support.internRelease("etch") +testing = debian_support.internRelease("jessie") for n in bug.notes: if n.release is None: self.raiseSyntaxError( Index: lib/python/security_db.py === --- lib/python/security_db.py (Revision 28738) +++ lib/python/security_db.py (Arbeitskopie) @@ -424,7 +424,7 @@ return 999 self.db.createscalarfunction("urgency_to_number", urgency_to_number, 1) -releases = ['potato', 'woody', 'sarge', 'etch', 'lenny', 'squeeze', 'wheezy', 'sid'] +releases = ['potato', 'woody', 'sarge', 'etch', 'lenny', 'squeeze', 'wheezy', 'jessie', 'sid'] def release_to_number(u): try: return releases.index(u) Index: bin/tracker_service.py === --- bin/tracker_service.py (Revision 28738) +++ bin/tracker_service.py (Arbeitskopie) @@ -624,7 +624,7 @@ H2('Security announcements'), make_table(gen_bug_list(self.db.getDSAsForSourcePackage (self.db.cursor(), pkg)), -caption=('DSA', 'Description'), +caption=('DSA / DLA', 'Description'), replacement='No known security announcements.') ]) signature.asc Description: This is a digitally signed message part.
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Hi, attached is a patch to lib/python/web_support.py which turns the notes (used in CVEs) into hyperlinks - if they start with http(s):// Please tell me whether it's ok to commit this. cheers, Holger Index: lib/python/web_support.py === --- lib/python/web_support.py (Revision 28738) +++ lib/python/web_support.py (Arbeitskopie) @@ -453,12 +453,16 @@ def make_pre(lines): """Creates a pre-formatted text area.""" -r = [] -append = r.append +pre = [] +append = pre.append for l in lines: -append(l) -append('\n') -return tag('pre', ''.join(r)) +# please tell me once gopher:// is back +if l.startswith('http://') or l.startswith('https://'): +append(A(l)) +else: +append(l) +append(BR()) +return tag('pre', pre) def make_menu(convert, *entries): """Creates an unnumbered list of hyperlinks. signature.asc Description: This is a digitally signed message part.
Re: fixing four bugs, let's start with a Makefile.diff
Hi, On Freitag, 12. September 2014, Salvatore Bonaccorso wrote: > As you only extend Makefile with an additional target I think this > is fine to be commited already without breaking the setup on soler. ok, thanks, I've committed that, will present the next patch soonish... cheers, Holger signature.asc Description: This is a digitally signed message part.
External check
CVE-2014-0547: RESERVED CVE-2014-0548: RESERVED CVE-2014-0549: RESERVED CVE-2014-0550: RESERVED CVE-2014-0551: RESERVED CVE-2014-0552: RESERVED CVE-2014-0553: RESERVED CVE-2014-0554: RESERVED CVE-2014-0555: RESERVED CVE-2014-0556: RESERVED CVE-2014-0557: RESERVED CVE-2014-0559: RESERVED CVE-2014-3631: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5412962f.fhdupwhj+tux0kx0%atomo64+st...@gmail.com