Bug#994897: security-tracker: turning text URL to link includes extraneous character
I should have finalized to reply on the bug in full first, apologies you now get two mails! On Sat, Dec 11, 2021 at 08:36:11AM +0100, Salvatore Bonaccorso wrote: > The underlying bug might still be fixed at some point, there was a > similar issue in past for the NOTE part as well, which if I remember > correctly got fixed. Picking the explicit mentioned list, I would still see it usefull if the parsing is correct, but it's really a minor issue in the ned: CVE-2017-0381 > [jessie] - opus (Minor issue, https://bugs.debian.org/851612#10) Would still be usefull if that works when displaying, because the reference hilights more detailed why the issue was ignored for the specific suite. CVE-2018-16869 > [jessie] - nettle (Minor issue - > https://lists.debian.org/debian-lts/2019/03/msg00021.html) Same as above, the reference gives an additional information why in LTS context for jessie the issue can be considered minor, but not necessary as a general note for the CVE. Borderline, a NOTE could also have worked for this case I guess. CVE-2021-32686 > [stretch] - pjproject (Minor issue; > https://people.debian.org/~abhijith/upload/CVE-2021-32686.patch) As for the initial mentioned CVE. I believe this does not belong to the tracker itself, but seems to be for a partial work on the package so the work is not lost when another LTS member picks up to further update pjproject and might want to include the work from abhijith. CVE-2020-28491 > [stretch] - jackson-dataformat-cbor (Minor issue; > https://people.debian.org/~abhijith/CVE-2020-28491.txt) Samewise, IMHO. CVE-2008-5161 > [etch] - openssh (Minor issue, see > http://www.openssh.org/txt/cbc.adv) Indeed that would have been more appropriate putting in some form in a NOTE! Regards, Salvatore
Bug#994897: security-tracker: turning text URL to link includes extraneous character
Hi Neil, On Fri, Dec 10, 2021 at 11:06:36AM +, Neil Williams wrote: > On Wed, 22 Sep 2021 15:34:32 -0400 "Roberto C. Sanchez" > wrote: > > Package: security-tracker > > Severity: normal > > > > > > It appears that when parsing data/CVE/list and a URL is encountered, > > that extraneous characters can end up included in the link, which > > can result in the actual link not reflecting the intended link. For > > example, https://security-tracker.debian.org/tracker/CVE-2020-13230 > > links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch > > but incorrectly includes the closing parenthsis that denotes the end of > > the note text as part of the link. > > This looks like it actually needs an improvement to the syntax of that CVE. > > The URL would typically be part of a NOTE: line, not part of the comment. > > e.g. current: > > CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not > immediately ...) > - cacti 1.2.11+ds1-1 > [buster] - cacti 1.2.2+ds1-2+deb10u3 > [stretch] - cacti (Minor issue, Partial patch > https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch) > NOTE: https://github.com/Cacti/cacti/issues/3343 > > Proposed: > > > CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not > immediately ...) > - cacti 1.2.11+ds1-1 > [buster] - cacti 1.2.2+ds1-2+deb10u3 > [stretch] - cacti (Minor issue, Partial patch) > NOTE: https://github.com/Cacti/cacti/issues/3343 > NOTE: https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch Acatually those references to incomplete (and in some cases not finalized backported packages/debdiffs) should (IMHO) not appear at all, more even in the above particular case of an update which was started and sthen stopped and the patch is only partial completed. Maybe LTS team wants to just track somewhere else when an update has started, but for some reason the upload was not finalized or there are issues with the update. But as I understand LTS team is currently investigating that packaging updates are all done in separate git repositories where I expect such WIP will be tracken then as well. The underlying bug might still be fixed at some point, there was a similar issue in past for the NOTE part as well, which if I remember correctly got fixed. Regards, Salvatore
Bug#994897: security-tracker: turning text URL to link includes extraneous character
On Wed, 22 Sep 2021 15:34:32 -0400 "Roberto C. Sanchez" wrote: > Package: security-tracker > Severity: normal > > > It appears that when parsing data/CVE/list and a URL is encountered, > that extraneous characters can end up included in the link, which > can result in the actual link not reflecting the intended link. For > example, https://security-tracker.debian.org/tracker/CVE-2020-13230 > links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch > but incorrectly includes the closing parenthsis that denotes the end of > the note text as part of the link. This looks like it actually needs an improvement to the syntax of that CVE. The URL would typically be part of a NOTE: line, not part of the comment. e.g. current: CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...) - cacti 1.2.11+ds1-1 [buster] - cacti 1.2.2+ds1-2+deb10u3 [stretch] - cacti (Minor issue, Partial patch https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch) NOTE: https://github.com/Cacti/cacti/issues/3343 Proposed: CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...) - cacti 1.2.11+ds1-1 [buster] - cacti 1.2.2+ds1-2+deb10u3 [stretch] - cacti (Minor issue, Partial patch) NOTE: https://github.com/Cacti/cacti/issues/3343 NOTE: https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch Other CVEs with URLs in the comment include: CVE-2017-0381 CVE-2018-16869 CVE-2021-32686 CVE-2020-28491 CVE-2008-5161 All other CVEs that reference a URL do so via a NOTE: entry. -- Neil Williams = https://linux.codehelp.co.uk/ pgpmmod6y65MG.pgp Description: OpenPGP digital signature
Bug#994897: security-tracker: turning text URL to link includes extraneous character
Package: security-tracker Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 It appears that when parsing data/CVE/list and a URL is encountered, that extraneous characters can end up included in the link, which can result in the actual link not reflecting the intended link. For example, https://security-tracker.debian.org/tracker/CVE-2020-13230 links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch but incorrectly includes the closing parenthsis that denotes the end of the note text as part of the link. Regards, - -Roberto -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmFLhUgACgkQLNd4Xt2n sg9qphAAi244W6/VseDDs09HA/s65C+ZkGoiTpg6h+BBaQcCU4qlaaxfwtl3IXBK Ocj7YEAuOnsdSxl+R0WTyz0pbyaADxX2exI0BXZLqJ9Z5AnQ+BionvAl2HpU1Jho eNJzID1ejWLJAsWGNr7+CWp8NZYSKRN7SxJlnII2nHDVm7g/F1WPyxZtHtXPdwJ5 0Qve7hbk4zQZ+L6sNJGRElmee9N3wxN7ajdQbEXMWw1V8MVg0yJjWKgkFH+kTeaZ vU8uM3owPzCv9CNGp84Qf7X9MilGOgw5ZQpFAMi8ULZrvN0OyYl1N2P9ajk5bx4J Mh7o22KchcBXIUgCzEAnPWhVN6cY5a1/qA/1xWDQii4rWUtw0kGvJjSP12WRWCef /gFr9ba8NMsVKaiPuoaeZY4cPpcU9oLBHBxnqBP2cXSy1xJa2aHPgaQD+q9Gb5Zh EWW2NXS6cRQcYBJJVBX+TZXoQBaBCA88kDesFVN21VZpYaJkudYxoP46GqRYNODw Jc3ruP1WmjaEGOGfuBavd9qbKa67Ihn6DR3o/PCNMCps9sLnhvhEmtzQEuZHo8H+ zZxjcMI76vs+KWE2rR7/GJmOqtul0PW17lRHBzAFoiaIN+vK+OmH6Pv/u9Lbr8bn 7R8h07DFVZhSsG/Rhe2oPDbYhf2oT0UrcwQQCcjMUeXT+sR0gvk= =BQe6 -END PGP SIGNATURE-
