Bug#908678: Update on the security-tracker git discussion
On Tue, Jul 02, 2019 at 01:25:43PM +0200, Salvatore Bonaccorso wrote: > p.s.: Question is if we should do a split as well for the other types of > files which are supported (DSA, TDSA, ...) while at it. We can axe out DTSA/* while we're at it. For DSA/list (and DLA/list) we can initially keep it as a single file, it can still be split later on if necessary. Cheers, Moritz
Bug#908678: Update on the security-tracker git discussion
Hi, On Mon, Jun 24, 2019 at 01:57:36PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Jun 09, 2019 at 01:48:58PM +0200, Salvatore Bonaccorso wrote: > > On Sat, Jun 08, 2019 at 06:29:24PM +0200, Salvatore Bonaccorso wrote: > > > Notes on possible CVE/list splits > > > - > > [...] > > > > After a face-to-face conversation with Daniel, Daniel suggested to > > create a priority list out of that, we will followup with that to that > > (ideally as gitlab task-list) here with a link once we have made our > > minds on it. > > The plan was initially to do that in that week. Due to some other > issues (Debian related, and other) this was not possible. The plan > still holds to prioritize these tasks so that people wanting to help > contribute have something to tackle. So I'm starting to track those here be better/more easily track work on those: https://salsa.debian.org/security-tracker-team/security-tracker-service/issues/1 (but they need to reshuffle an consolidate the items). Basically before the switch the two major topics (the security-tracker code base itself) and tools involved in the workflow for triaging/updating CVEs need to be adapted to a split repo situation, which makes many of the items go into the first group anyway, but not all. So slow still work in progress. On personal note, it would be nice to have some dedicated time for this only, but ... Regards, Salvatore p.s.: Question is if we should do a split as well for the other types of files which are supported (DSA, TDSA, ...) while at it.
DSA candidates
assigned -- ceph/stable -- dosbox/stable -- enigmail/stable -- firefox-esr/stable -- firejail/stable -- flightcrew/stable -- glib2.0/stable -- gnutls28/stable -- golang-github-seccomp-libseccomp-golang/stable -- golang-go.crypto/stable -- gvfs/stable -- imagemagick/stable -- irssi/stable -- jackson-databind/stable -- jupyter-notebook/stable -- kf5-messagelib/stable -- libapache2-mod-auth-mellon/stable -- libgcrypt20/stable -- libmatio/stable -- libspring-java/stable -- libxslt/stable -- monit/stable -- mupdf/stable -- openjpeg2/stable -- openssl/stable -- openvswitch/stable -- pacemaker/stable -- php-imagick/stable -- php7.0/stable -- phpmyadmin/stable -- python-django/stable -- python-urllib3/stable -- qemu/stable -- ruby-openid/stable -- ruby-rails-admin/stable -- ruby-rails-html-sanitizer/stable -- ruby-zip/stable -- salt/stable -- sqlalchemy/stable -- sqlite3/stable -- tomcat7/stable -- tomcat8/stable -- -- The above is a list of DSA candidates based on the tracker's information. One should evaluate the candidates and either add them to dsa-needed.txt or consider tagging them no-dsa.
External check
CVE-2019-10136: RESERVED CVE-2019-10137: RESERVED CVE-2019-12951: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
