Bug#649011: security-tracker: DSA-2346-1 vs. tracker
Hi, * Francesco Poli (wintermute) invernom...@paranoici.org [2011-11-16 22:21]: Package: security-tracker Severity: normal Hello, it seems to me that the tracker page [1] for DSA-2346-1 [2] lacks the reference to CVE-2011-4130. Please update the tracker data. Thanks for your time! Thanks for the report! Fixed. Cheers Nico -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2017141859.ga25...@ngolde.de
Bug#642259: marked as done (security-tracker: DSA-2305-1 vs. tracker)
Hi, * Francesco Poli invernom...@paranoici.org [2011-09-21 19:07]: On Tue, 20 Sep 2011 18:46:07 -0400 Michael Gilbert wrote: Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hi! DSA-2305-1 [1] talks about two vulnerabilities (CVE-2011-0762 and CVE-2011-2189), but its tracker page [2] only refers to one of them (CVE-2011-0762). Fixed, thanks. Why did you add only a note, rather than an actual reference to CVE-2011-2189 ? Because technically vsftpd would need its own CVE id (which it will not get though). Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpCoS9GiwUMV.pgp Description: PGP signature
Re: Security Fix for mantis stable 1.1.8
Hi Silvia, please contact t...@security.debian.org for these matters in the future, the security tracker list is the wrong destination (even though team members read that as well) :D * sils s...@powered-by-linux.com [2011-09-08 07:13]: A security update is needed for current mantis stable version (1.1.8+dfsg-10). (The CVE is not yet published) I have prepared new version (1.1.8+dfsg-10squeeze1). The debdiff looks good. Please upload this to security-master[0]. Please send us the debdiff for oldstable for review as well once you've done it. [0] http://www.debian.org/security/faq#SecurityUploadQueue Kind regards and thanks for contacting us! Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpDqDxHyVC29.pgp Description: PGP signature
Re: DSA-2258-1 vs. tracker
Hi, * Francesco Poli invernom...@paranoici.org [2011-06-11 19:10]: DSA-2258-1 [1] is about CVE-2011-1926, but the DSA tracker page [2] refers to CVE-2011-2194. [...] Thanks fixed, cp error. CVE-2011-2194 was the previous DSA. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp6afb81XvK7.pgp Description: PGP signature
Re: DSA-2163-1 vs. tracker
Hi, * Francesco Poli invernom...@paranoici.org [2011-02-16 21:46]: according to DSA-2163-1 [1] two vulnerabilities are fixed in sid by python-django/1.2.5-1 On the other hand, the tracker claims that version 1.2.5-1 is vulnerable [2][3] Is the DSA incorrect or should the tracker data be updated? Could you please clarify? Fixed, thanks. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp3La8OEIXTC.pgp Description: PGP signature
Re: vlc Windows-only security bug
Hi, * Benjamin Drung bdr...@ubuntu.com [2010-11-15 15:25]: There is one security bug filed against vlc that affects only Windows [1]. How do I get this bug removed from the list? http://security-tracker.debian.org/tracker/TEMP-0595686-002518 Thanks for bringing this to us. I looked at the issue and it's indeed windows only. The entry in the security tracker will stay but it will be marked as not-affected. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpQy6yuzXxS2.pgp Description: PGP signature
Re: vlc Windows-only security bug
Hi, * Nico Golde n...@ngolde.de [2010-11-15 19:37]: * Benjamin Drung bdr...@ubuntu.com [2010-11-15 15:25]: There is one security bug filed against vlc that affects only Windows [1]. How do I get this bug removed from the list? http://security-tracker.debian.org/tracker/TEMP-0595686-002518 Thanks for bringing this to us. I looked at the issue and it's indeed windows only. The entry in the security tracker will stay but it will be marked as not-affected. Race with Moritz. Was committing right when writing this mail :) Cheers Nico pgpYuEvS1d2st.pgp Description: PGP signature
Re: It's DSA-2005-1, not DSA-2004-1 !
Hey, * Francesco Poli f...@firenze.linux.it [2010-03-01 19:32]: it seems to me that an unfortunate typo in DSA-2005-1 [1] (erroneously issued as DSA-2004-1) caused the tracker page [2] for the actual DSA-2004-1 [3] to be polluted with extraneous CVEs. Please clean up the tracker data. [...] Already done, thanks for the notice though! Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpCdJ6Yd9ePO.pgp Description: PGP signature
Re: Update package on old CVE
Hi, * Yves-Alexis Perez cor...@debian.org [2010-01-13 11:12]: I just noticed two CVE which apply to Xfce packages in etch are set against the wrong package. Attached diff should fix that. Thanks fixed! Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgprsZCyGF42I.pgp Description: PGP signature
Re: Getting new tracker service code to go live
Hi, * Michael Gilbert michael.s.gilb...@gmail.com [2010-01-03 19:20]: If someone can push the latest updates, I think I've solved the problem with the latest commit. I updated the tracker svn because I think your fix looks good. Apart from that... I know I haven't been very active recently, still I wonder why you need to implement undiscussed (excuse me if I missed this) tracker features and Thijs is blindly committing them. This is not how we should work in my opinion. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgptY8Z6lGf2v.pgp Description: PGP signature
Re: Getting new tracker service code to go live
Hi, * Nico Golde n...@ngolde.de [2010-01-03 22:58]: * Michael Gilbert michael.s.gilb...@gmail.com [2010-01-03 19:20]: If someone can push the latest updates, I think I've solved the problem with the latest commit. I updated the tracker svn because I think your fix looks good. [...] Or not, I can't sudo into the sectracker account as I just updated my ldap password and it seems to take some time before it updates on soler... So if anyone is fast, please pull the trigger. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgppTClnmvj6C.pgp Description: PGP signature
Re: Security tracker reports fixed issues in silc-toolkit
Hi, * Jérémy Bobbio lu...@debian.org [2009-10-30 14:05]: On Thu, Oct 29, 2009 at 05:39:35AM +, DDPOMail robot wrote: === silc-toolkit: = There are 6 unfixed security issue(s), please fix them. See http://security-tracker.debian.net/tracker/source-package/silc-toolkit All those issues have been fixed, but CVE were not referenced in the Debian changelog (as the actual update made the security team register new CVEs). Could you please update the security tracker regarding this issues? No. If you check the CVE ids in detail you will see that those issues are unfixed in oldstable, that's why the tracker shows it as open. If you look at http://security-tracker.debian.org/tracker/status/release/unstable you will see it doesn't show up there. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpHQmMkeNy4q.pgp Description: PGP signature
Re: stable vs. testing: same versions, different status
Hi, * Francesco Poli f...@firenze.linux.it [2009-06-09 20:19]: On Mon, 8 Jun 2009 17:09:54 -0400 Michael S. Gilbert wrote: [...] Moreover, it is my understanding that a security update for stable is automatically used for testing too, whenever testing does not have any newer version of the package. this is never the case. 2.6.26-15lenny3 from stable-security has and will not migrate to testing, so these issues are still present in squeeze. Ah, I thought this stable-security - testing-security migration was already implemented. Maybe having this feature could be useful! What do others think? As far as I know this is done but only after a point release. BTW, when will testing security support start again? Back on February, I was told to wait for some 2 months... http://lists.debian.org/debian-security-tracker/2009/02/msg00011.html We are lacking manpower. While we have people who report bugs we lack of people who fix bugs :) So the honest answer is, I don't know. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpeJugckpxFk.pgp Description: PGP signature
unsupported packages
Hi, I just added vmware-package to the package-tags file to reflect that we can't provide security support for this package (Cced maintainers to inform them of this). The vmware-package comes with a script that uses an upstream tarball to create .deb files. The versions and md5sums of the tarballs are hardcoded in the script and the user needs to download the tarball himself. As far as I see this is outdated and won't even work currently. But we somehow need to reflect that we can't support this package in the tracker data. So far issues regarding vmware got a fix status or an NFU but in my opinion none of this is really appropriate. For stable there is no support anyway but for unstable we traditionally supported packages in case we have some spare time and the issue is easy fixable. So I think we need to make a decision at this point to either don't support contrib/non-free completely and mark these issues as NFU or we need to introduce a tag for unsupported packages (Florian what do you think?). Opinions? Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp3HWBc9QkuZ.pgp Description: PGP signature
Re: Submitting multiple CVEs in the same bug report
Hi, * Michael S. Gilbert michael.s.gilb...@gmail.com [2009-04-10 13:31]: What is the modus operandi for submitting multiple CVEs in the same bug report? I ask because I recently submitted a bug on php5 and got pushback from the maintainer saying that I should not have submitted multiple vulnerabilites in one report [1]. I CCed seanius to this as he was the one who said that. In general there is no consensus about that but just some maintainers prefer that. From my perspective, being able to submit multiple vulns makes the job of the security team (and assistants) much easier and straightforward. And if the maintainer prefers to track vulnerabilities individually, then they always have the option to do so at their own leisure (via cloning). It may be useful to state this as the common practice/policy in the security-tracker overview doc. If there are no objections, I will modify the wording to include such a statement. I personally agree with you, it makes our job a lot easier and the maintainer always has the ability to clone and retitle bugs. However there are some cases in which I refrain from reporting one big report. In case you can subdivide the vulnerabilities in parts which logically fit in the same category I think it makes more sense to split them instead of reporting one huge grave bug. I don't think there's a general answer for this. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpBCobi5Mwws.pgp Description: PGP signature
Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
Hi, * Richard Hartmann [EMAIL PROTECTED] [2008-12-08 09:54]: On Mon, Dec 8, 2008 at 09:32, Nico Golde [EMAIL PROTECTED] wrote: I think your imagination of the process is way to easy, it's more than reading and directly editing the tracker, the same process like the one for new CVE ids apply, checking if the package is in Debian, if not checking if there is an itp or if it's NFU, Can be done with a script of a few lines (unless the whole thing has been renamed). This can not be done with a script exactly because of this. check other packages embedding this source code, Should be do-able with a few more lines, but will probably need manual verification. Huh? Please come up with code if you think it's that easy. In the past we did some checks for this using clamav signatures and I can tell you, it's not that easy. check other packages having similar code... Needs manual verification work. Yet, none of these speak against a pointer of the fix already being available once the above steps have been finished. And that is what Michael is offering. It will certainly not make every issue disappear magically. But it may help in quite a few cases. What speaks against this is that we already have serious manpower lacks with the normal tracker data and unless this is solved this is a waste of resources. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpzv8ZuEaJuW.pgp Description: PGP signature
Re: Need to track clamav vulnerability
* Florian Weimer [EMAIL PROTECTED] [2008-12-04 11:32]: * Michael Gilbert: there is currently an unpatched vulnerability in clamav (stable and testing) which has yet to receive a cve id. the bug has been submitted to the debian bts [1], but it has not yet been entered into the security tracker. please update the tracker to include this issue. It's already been there for a couple of hours. It's CVE-2008-5314. Michael, note that you already have access to the tracker svn. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpEbfzK8jIWu.pgp Description: PGP signature
Re: Please track CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076 in Etch
Hi, * Michael Gilbert [EMAIL PROTECTED] [2008-11-26 17:49]: Some issues were recently discovered in vim, which have already been fixed in lenny and unstable, but have yet to be fixed in stable. See [1] for more details. Please add the following CVEs to the security tracker: CVE-2008-3074 CVE-2008-3075 CVE-2008-3076 Gerfried did that, thanks for letting us know! I noticed that you filed quite a bunch of security related bugs recently in a somehow uncoordinated manner. This is no problem and help is always welcome but it would be more helpful to also integrate the data in the tracker. If you plan to work on security in Debian please let me know so we can integrate you in the team. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpVmq9RjTQpJ.pgp Description: PGP signature
Re: Please track CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076 in Etch
Hi, * Michael Gilbert [EMAIL PROTECTED] [2008-11-26 19:38]: Thanks, added them with hopefully appropriate short descriptions. fyi, according to the vim maintainers, this has already been fixed in testing [1], but the tracker currently shows that testing is vulnerable. i can attempt to fix this one if i am permitted to commit to svn. thanks. Fixed, 1:7.1.314-3+lenny1 vs 1:71.314-3+lenny1 Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpjlbHGNF8pC.pgp Description: PGP signature
Re: No DSA-1665-1 on the tracker
Hi, * Gerfried Fuchs [EMAIL PROTECTED] [2008-11-19 16:10]: * Francesco Poli [EMAIL PROTECTED] [2008-11-19 00:02:33 CET]: It seems that there's no tracker page [1] for DSA-1665-1 [2]. I think this is unintended... Indeed, thanks for noticing it. I fixed it. Thijs, any idea why your script didn't catch this one? Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpSKQ6tXseW5.pgp Description: PGP signature
Re: [Secure-testing-commits] r9775 - data/CVE
Hi Steffen, * Steffen Joeris [EMAIL PROTECTED] [2008-09-09 18:10]: On Mon, 8 Sep 2008 09:14:28 pm Thijs Kinkhorst wrote: On Mon, September 8, 2008 13:09, [EMAIL PROTECTED] wrote: Regression fixed in wordnet - - wordnet 1:3.0-12 (medium; bug #497441) + - wordnet 1:3.0-13 (medium; bug #497441) Since the regression doesn't have security implications, wouldn't it be more accurate to keep the fixed-version at 1:3.0-12? I thought about it as well, but if I recall correctly, we have always treated regressions (also the ones that just introduced normal bugs) like this. But I might be off here, so if you are sure go ahead and revert it. I disagree, as I already wrote in the bug report 1:3.0-12 includes all security fixes and I don't think we should track issues in corner case use cases as they might pop out way later than the issue was fixed. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpIeF7gcyheH.pgp Description: PGP signature
Re: tracker CVE feed source
Hi Gerfried, * Gerfried Fuchs [EMAIL PROTECTED] [2008-08-04 22:11]: * Nico Golde [EMAIL PROTECTED] [2008-08-04 21:01:18 CEST]: * Thijs Kinkhorst [EMAIL PROTECTED] [2008-08-04 20:16]: We have the following options: - Keep the current feed. It works. But, it's only updated a few times a week, but this may get more often in the future. While I agree that this may be bad because we get some of the vulnerabilities later I also see a good thing in this. This way we don't have to work on this every day but are able to work on bigger chunks every now and then which may be better unless we have more active people working on new CVE ids. I don't follow that reasoning. Even if the stuff gets in more timely it doesn't mean that they would have to get processed more timely than they are processed currently. If you feel like working on bigger chunks feel free to let it pile up like it's done through the way it's received. I see much bigger advantages with changing it than what might be considered a good thing in this... Yes but then there is also no advantage doing it the other way. But maybe you are right and it would be slightly better as those issues show up in the TODO section of the tracker so people can see that these issues are already known. About directly feeding the mails in, how many commits a day are we speaking here? I'm not sure if they send one mail for each new CVE id. If the mail system behaves like the rss feed updating small chunks then this would be 1-3 commits per day. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpoVqOyDLQXL.pgp Description: PGP signature
Re: cupsys renamed to cups: bogus vulnerabilities!
Hi Francesco, * Francesco Poli [EMAIL PROTECTED] [2008-06-14 12:37]: I see from the list archive that the CUPS renaming got the attention it deserves. Unfortunately, it seems that the security tracker now lists several old vulnerabilities as fixed in package cups, but unfixed in package cupsys: http://security-tracker.debian.net/tracker/source-package/cupsys http://security-tracker.debian.net/tracker/status/release/unstable http://security-tracker.debian.net/tracker/status/release/testing http://security-tracker.debian.net/tracker/status/release/stable This seems to be wrong, since many of these vulnerabilities were actually fixed long ago (e.g.: CVE-2002-1384) or do not affect Debian (e.g.: CVE-2001-1508). Florian, any idea how to fix that? I hope I did exactly what you told me :) I'll be not available the rest of the weekend to fix this, I'm not at home and have no net connection available. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpiREsLXvgKm.pgp Description: PGP signature
Re: cupsys renamed to cups: bogus vulnerabilities!
Hi Francesco, * Francesco Poli [EMAIL PROTECTED] [2008-06-14 12:37]: I see from the list archive that the CUPS renaming got the attention it deserves. Unfortunately, it seems that the security tracker now lists several old vulnerabilities as fixed in package cups, but unfixed in package cupsys: [...] Mhm, maybe the reason is that cupsys was not yet removed from unstable and currently cupsys and cups are installable in unstable? kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp4lkCb02PrS.pgp Description: PGP signature
Re: DSA-1471-1 vs. tracker
Hi Francesco, * Francesco Poli [EMAIL PROTECTED] [2008-01-22 00:24]: DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge. The DSA page [2] seems to ignore this, though. Correspondent CVS pages [3][4][5] consistently claim that version 1.1.0-2 is vulnerable. Which of the two is wrong and which is right? Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the above-mentioned CVEs for etch. However the CVE-2007-4029 page [4] tells a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable. Is this a security-tracker internal inconsistency? [...] The source package name was missing from the sarge tag in our DSA file. Fixed this in svn. Thanks alot for reporting! Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpM3e2rrzRp9.pgp Description: PGP signature
Re: [Secure-testing-commits] r7942 - data/CVE
Hi Florian, * Florian Weimer [EMAIL PROTECTED] [2008-01-17 09:05]: * Nico Golde: Author: jmm-guest Date: 2008-01-16 17:57:08 + (Wed, 16 Jan 2008) New Revision: 7942 Modified: data/CVE/list Log: maxdb is in the archive, marked as unfixed for now, didn't check further Is this the same maxdb? I wonder because it says SAP maxdb and also the advisory is linking the SAP homepage as vendor site while the description of the maxdb package in debian references a mysql.com site. That's why I marked this as NFU. It's the same code base. SAP's SQL database was rebranded as MySQL MaxDB a couple of years ago. Ok thank you! Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpEKrBCeapBN.pgp Description: PGP signature
Re: [Secure-testing-commits] r7942 - data/CVE
Hi, * [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-01-16 23:42]: Author: jmm-guest Date: 2008-01-16 17:57:08 + (Wed, 16 Jan 2008) New Revision: 7942 Modified: data/CVE/list Log: maxdb is in the archive, marked as unfixed for now, didn't check further Is this the same maxdb? I wonder because it says SAP maxdb and also the advisory is linking the SAP homepage as vendor site while the description of the maxdb package in debian references a mysql.com site. That's why I marked this as NFU. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpswbYSQ0ulv.pgp Description: PGP signature