Bug#344241: debsecan: not sure -- probably open issue is reported fixed
* Yaroslav Halchenko: an upload which hasn't happened yet, and for unstable, no package availability checks are performed. The fix is to perform the checks Hi Florian, I am sorry to bother you but I am really curious if you are going to implement availability check in debsecan? if so, then how soon since I am waiting for this feature holding my breath ;-) This should have been fixed in: r3122 | fw | 2005-12-22 11:19:06 +0100 (Thu, 22 Dec 2005) | 4 lines lib/python/security_db.py (DB.calculateDebsecan): Check that a fixed package is actually available in sid, and do not trust the list files. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
Hi Florian, Thank you for your prompt reply. I am a little bit confused with the description may be of what obsolete is. (and there is a type in man page pacakge - package) I thought that apt-get install `debsecan --suit sid --format packages --only-fixed` would install the packages which have security vulnerabilities and which are outdated on the system (ie there is freshier version binary package available from the debian repository), but it says that many packages is already the newest version and they are marked as obsolete (so for my purpose really I need to use --no-obsolete) And man page says about obsolete This means that the binary package in question has been removed from the archive. Which has quite a different meaning from debsecan perspective of view: debsecan lists packages as obsolete even when they not removed from the archive but are just not present in archive with required fresh binary version. Proper word for such packaged would be outdated or not-built I believe or something like it For instance CVE-2005-3352 (fixed, remotely exploitable, low urgency) Cross-site scripting (XSS) vulnerability in the mod_imap module of ... installed: apache-utils 1.3.33-8 (built from apache 1.3.33-8) package is obsolete fixed in unstable: apache 1.3.34-2 (source package) fix is available for the selected suite (sid) So descrimination between 1. obsolete: packages which have vulnerabilities and are not available from the archive at all in any version for a given suite -- removed from the archive, so no fixed in unstable.*(source package) for them I believe 2. not-built (or some better name): fresh source is available with no binaries yet available from the archive (mirror). Then option --no-not-built would help Such descrimination sounds reasonable to me and would help to provide relevant information for the administrator on what updates he can currently perform. Thank you in advance for any feedback And Thank you very much for your work On Thu, Jan 19, 2006 at 09:00:26AM +0100, Florian Weimer wrote: I am sorry to bother you but I am really curious if you are going to implement availability check in debsecan? if so, then how soon since I am waiting for this feature holding my breath ;-) This should have been fixed in: r3122 | fw | 2005-12-22 11:19:06 +0100 (Thu, 22 Dec 2005) | 4 lines lib/python/security_db.py (DB.calculateDebsecan): Check that a fixed package is actually available in sid, and do not trust the list files. -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17] pgp3M9w1gSDfI.pgp Description: PGP signature
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
an upload which hasn't happened yet, and for unstable, no package availability checks are performed. The fix is to perform the checks Hi Florian, I am sorry to bother you but I am really curious if you are going to implement availability check in debsecan? if so, then how soon since I am waiting for this feature holding my breath ;-) Have a good everything, -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17] pgpfGuwpPROL2.pgp Description: PGP signature
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
* Yaroslav Halchenko: now you've got an active user/tester thus you might get an increase in the amount of bug reports :-) Thanks. On my first try of the package I've decided to do full system security upgrade, so I ran apt-get install $(debsecan --suite sid --format packages --only-fixed) and it gave me: libnetpbm10 is already the newest version. libnetpbm9 is already the newest version. This needs to be fixed on the server side. The relevant DSA promised an upload which hasn't happened yet, and for unstable, no package availability checks are performed. The fix is to perform the checks for unstable as well. cpio is already the newest version. A fixed version was uploaded, and its version was put into the database, but it doesn't seem to have made its way into your local copy of the Packages file yet. (Note that cpio hasn't been built on all architectures, which can also lead to such mismatches. More extensive changes are necessary to address this problem.) linux-image-2.6.12-1-386 is already the newest version. This is an instance of the package fixed by obsolescence problem. There is a newer version of the source package, linux-2.6, which fixes the bug in question, but the source package does not build the binary package linux-image-2.6.12-1-386 anymore. This means it's not possible to really fix the bug with a simple upgrade process. This needs some work before a fix is available. Also it would be helpful to track the issue if there was at least some optional debugging output (such vulnerabilities for package X are found, this this and that one are fixed, etc depending on the logic of debsecan) --format detail lists such information. On the client side, not much data is available because most processing happens on the server. Otherwise, you'd have to download much larger database files. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
Hi Florian, cpio is already the newest version. A fixed version was uploaded, and its version was put into the database, but it doesn't seem to have made its way into your local copy of the Packages file yet. Actually main confusion was that on http://idssi.enyo.de/tracker/source-package/cpio CVE-2005-4268 is in open issues and I didn't check it out in details, now when I go to http://idssi.enyo.de/tracker/CVE-2005-4268 it does state that sid 2.6-10 fixed so indeed upgrade is necessary. Yesterday though the latest sid version was 2.6-9 or I was on drugs and missed somehow -10 :-) Please feel free to close the bug :-) -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17] pgp0N5Kyn4Iwx.pgp Description: PGP signature
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
* Yaroslav Halchenko: Please feel free to close the bug :-) I'm afraid; the other problematic packages you reported are real. So let's keep this bug open. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344241: debsecan: not sure -- probably open issue is reported fixed
Package: debsecan Version: 0.2 Severity: normal First of all let me thank you for the package. I was thinking about hacking up something like that myself but always postponed the project until later on. So thank you very much -- now you've got an active user/tester thus you might get an increase in the amount of bug reports :-) On my first try of the package I've decided to do full system security upgrade, so I ran apt-get install $(debsecan --suite sid --format packages --only-fixed) and it gave me: cpio is already the newest version. libnetpbm10 is already the newest version. libnetpbm9 is already the newest version. linux-image-2.6.12-1-386 is already the newest version. netpbm is already the newest version. I decided to look closer onto cpio package: dpkg -l cpio ii cpio 2.6-9 GNU cpio -- a program to manage archives of debsecan --suite sid --format summary --only-fixed | grep cpio CVE-2005-4268 cpio (fixed) http://idssi.enyo.de/tracker/source-package/cpio lists CVE-2005-4268 among open issues and the other resolved issues are covered by 2.6-9, thus nothing really has to be upgraded Please let me know if more details necessary Also it would be helpful to track the issue if there was at least some optional debugging output (such vulnerabilities for package X are found, this this and that one are fixed, etc depending on the logic of debsecan) Thanks once again for a nice tool -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (600, 'unstable'), (300, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13-mm1 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages debsecan depends on: ii python2.3.5-3An interactive high-level object-o debsecan recommends no packages. -- no debconf information --Yarik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]