Bug#985427: Wrong DLA number for spice CVEs

2021-03-20 Thread Boyuan Yang 
Hi,

在 2021-03-18星期四的 07:15 +0100,Salvatore Bonaccorso写道:
> For the record, the security-tracker ships the authoritative
> assignment, they are:
> 
> [31 Aug 2018] DLA-1488-1 mariadb-10.0 - security update
>     {CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066}
>     [jessie] - mariadb-10.0 10.0.36-0+deb8u1
> 
> [31 Aug 2018] DLA-1486-1 spice - security update
>     {CVE-2018-10873}
>     [jessie] - spice 0.12.5-1+deb8u6
> 
> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec38e10ec1289c204c18999585bcbf7967ad7413
> and
> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdaa7f41280c397e155037320704cde369172aae
> 
> So the wepage of DLA 1488 should just be correct to for the mariadb-
> 10.0
> announcement. (The spice DLA seems to have been sent out twice).


I'd be glad to apply the fix if anyone provides a patch or a Merge
Request targeting this issue for
https://salsa.debian.org/webmaster-team/webwml/ repository.

Thanks,
Boyuan Yang


signature.asc
Description: This is a digitally signed message part

Bug#985427: Wrong DLA number for spice CVEs

2021-03-18 Thread Petr Perminov 
Package: www.debian.org
Severity: normal



-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

You have DLA for mariadb package 
(https://lists.debian.org/debian-lts-announce/2018/08/msg00036.html)
and DLA for spice package 
(https://lists.debian.org/debian-lts-announce/2018/08/msg00037.html),
but on the following pages you have wrong DLA number / links:
https://lists.debian.org/debian-lts-announce/2018/08/msg00035.html
and wrong content here:
https://www.debian.org/lts/security/2018/dla-1488 (it copies 
https://www.debian.org/lts/security/2018/dla-1486)

Bug#985427: Wrong DLA number for spice CVEs

2021-03-18 Thread Salvatore Bonaccorso 
For the record, the security-tracker ships the authoritative
assignment, they are:

[31 Aug 2018] DLA-1488-1 mariadb-10.0 - security update
{CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066}
[jessie] - mariadb-10.0 10.0.36-0+deb8u1

[31 Aug 2018] DLA-1486-1 spice - security update
{CVE-2018-10873}
[jessie] - spice 0.12.5-1+deb8u6

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec38e10ec1289c204c18999585bcbf7967ad7413
and
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdaa7f41280c397e155037320704cde369172aae

So the wepage of DLA 1488 should just be correct to for the mariadb-10.0
announcement. (The spice DLA seems to have been sent out twice).

Regards,
Salvatore