External check

2014-09-22 Thread Raphael Geissert 
CVE-2014-3640: RESERVED
CVE-2014-3655: RESERVED
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/541fc594.ntlxna38rcvtdumw%atomo64+st...@gmail.com

Guidance on no-dsa and adding entries to dsa/dla-needed.txt

2014-09-22 Thread Raphael Hertzog 
Hello,

I'm in the process of reviewing open CVE in oldstable and deciding whether
it must be added to dla-needed.txt or not. I have multiple questions:

1/ is there a page on the security tracker that lists packages with
open vulnerabilities in stable/oldstable which are neither unimportant,
nor marked no-dsa and not present in dsa/dla-needed ? (I could not
find one)

Shall I file a wishlist request for this ?

2/ Since we decided early-on to mark squeeze as no-dsa when wheezy was
also marked as such, I wonder what I should do when no such decision
has been made yet (i.e. the package is not in dsa-needed.txt but the CVE
entry also doesn't have any no-dsa or unimportant tag). I would like
to have some guidelines on when it's appropriate to mark something as
no-dsa or when it's better to add it to dsa/dla-needed (apparently I
made a bad decision once already, since Moritz reverted
http://anonscm.debian.org/viewvc/secure-testing?view=revisionrevision=28950)

This information is not available in
http://security-team.debian.org/security_tracker.html

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140922123017.gb20...@x230-buxy.home.ouaza.com

Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt

2014-09-22 Thread Holger Levsen 
Hi Raphael,

thanks for your work on triaging oldstable related CVEs!

On Montag, 22. September 2014, Raphael Hertzog wrote:
 1/ is there a page on the security tracker that lists packages with
 open vulnerabilities in stable/oldstable which are neither unimportant,
 nor marked no-dsa and not present in dsa/dla-needed ? (I could not
 find one)

I have patches very much pending (=I will probably bring them live today or if 
not today, then tomorrow) which allow you to set proper filters for 
https://security-tracker.debian.org/tracker/status/release/oldstable so you 
can there see what you wanna see.
 

cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Bug#762069: marked as done (security-tracker does not update NVD information anymore)

2014-09-22 Thread Debian Bug Tracking System 
Your message dated Mon, 22 Sep 2014 19:14:23 +0200
with message-id 20140922171423.GA26721@eldamar.local
and subject line Re: Bug#762069: security-tracker does not update NVD 
information anymore
has caused the Debian Bug report #762069,
regarding security-tracker does not update NVD information anymore
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
762069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762069
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: security-tracker
Severity: normal
Tags: confirmed

Hi,

I'm looking into this problem, but would like to have documented the
problem in the BTS. Currently since we switched to fetch information
trough https updates of NVD information for the security-tracker does
not work anymore.

Makefile contains a update-nvd target, which fetches the nvde-$year
information via https:

wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name

ERROR: The certificate of `nvd.nist.gov' is not trusted.
ERROR: The certificate of `nvd.nist.gov' hasn't got a known issuer.

Solution: We need (as for example also needed for qa's vcs-watch) our
own CA store for the security-tracker which is used on soler.

Regards,
Salvatore
---End Message---
---BeginMessage---
Hi

This is now done by keeping a certificate store for the sectracker
user which is the used when fetching the data.

Regards,
Salvatore---End Message---

Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

2014-09-22 Thread Holger Levsen 
Hi,

On Montag, 22. September 2014, Christoph Biedl wrote:
 While the new appearence of the security tracker is a *huge*
 improvemnt, both in information details and design, thanks for that,

thanks!

 As a suggestion for the above issue:
 
 + squeeze, squeeze (security)   5.04-5+squeeze5 [gray]No longer supported¹
 | squeeze (lts) 5.04-5+squeeze7 [green]fixed
 + wheezy5.11-2+deb7u3   [light red]fix pending²
 | wheezy (security) 5.11-2+deb7u5   [green]fixed
 | jessie, sid   1:5.19-2[green]fixed

I like the idea of using more colors...
 
 + ¹ The squeeze suite has been discontinued. Use the squeeze-lts version

That's (slightly) misleading and wrong, though.

 + ² Will be handled in due course. Use the wheezy (security) version
 The footnotes are part of the text. And yes, they'd have to appear
 on every page.
 Your opinion on that?

yes, true, the security tracker still has some bugs which need to be fixed. 
Specific suggestions (like colors or footnotes) are best suggested in seperate 
short bugs, yet best with patches :-)

That said, I don't agree with the described urgency / panic. Debian might look 
bad because of bad things we do or good things we dont do, but seldomly 
because our security tracker is too accurate (or even inaccurate/wrong at 
times) :-) 


cheers,
Holger




signature.asc
Description: This is a digitally signed message part.

Bug#642987: EOL-support patch updated, to apply against new checkboxes code

2014-09-22 Thread Holger Levsen 
Hi,

see mail subject and attached file.

[00:53]   h01ger | buxy: i have a patch to display end-of-life too, 
#642987 - i just dont like abusing urgency for it as i do. i'd rather have 
florians db remodelling..

but I might still commit this one to svn, as perfect is the enemy of good also 
here, and the EOL code can also be refactored, once the modell is redone :)


cheers,
Holger
From a96948b3ef4e4a40107cc8f00b9af584b6d26fb6 Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Sat, 13 Sep 2014 02:02:42 +0200
Subject: [PATCH] Display end-of-life information in the web view. (Closes:
 #642987)

---
 bin/tracker_service.py| 7 ++-
 lib/python/bugs.py| 4 ++--
 lib/python/security_db.py | 8 +---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index d3c8b10..83a53bd 100644
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -29,6 +29,7 @@ class BugFilter:
('low_urgency', 'low', 'urgency'),
('unimportant_urgency', 'unimportant', 'urgency'),
('unassigned_urgency', 'not_yet_assigned', 'urgency'),
+   ('endoflife_urgency', 'end-of-life', 'urgency'),
 
('remote', 'hide remote scope', 'scope'),
('local', 'hide local scope', 'scope'),
@@ -76,7 +77,9 @@ class BugFilter:
 and urg == 'unimportant'
 filteruna = not self.params['unassigned_urgency'] \
 and urg ==  'not yet assigned'
-return filterlow or filtermed or filterhigh or filterund or filteruni or filteruna
+filterend = not self.params['endoflife_urgency'] \
+and urg == 'end-of-life'
+return filterlow or filtermed or filterhigh or filterund or filteruni or filteruna or filterend
 
 def remoteFiltered(self, remote):
 	filterr = self.params['remote'] and remote and remote is not None
@@ -420,6 +423,8 @@ data source.)],
 else:
 rel = '(unstable)'
 urgency = str(n.urgency)
+		if urgency == 'end-of-life':
+			urgency = self.make_red('end-of-life')
 if n.fixed_version:
 ver = str(n.fixed_version)
 if ver == '0':
diff --git a/lib/python/bugs.py b/lib/python/bugs.py
index a147e74..9247085 100644
--- a/lib/python/bugs.py
+++ b/lib/python/bugs.py
@@ -24,7 +24,7 @@ class Urgency(debian_support.PseudoEnum): pass
 
 def listUrgencies():
 urgencies = {}
-urgs = ('high', 'medium', 'low', 'unimportant', 'not yet assigned')
+urgs = ('high', 'medium', 'low', 'unimportant', 'end-of-life', 'not yet assigned')
 for u in range(len(urgs)):
 urgencies[urgs[u]] = Urgency(urgs[u], -u)
 Urgency.urgencies = urgencies
@@ -579,7 +579,7 @@ class FileBase(debian_support.PackageFile):
 comments.append(('NOTE', r))
 elif v == 'end-of-life':
 pkg_notes.append(PackageNoteParsed
- (p, '0', 'unimportant',
+ (p, None, 'end-of-life',
   release=release))
 if d:
 # Not exactly ideal, but we have to
diff --git a/lib/python/security_db.py b/lib/python/security_db.py
index 088d4b5..52abb93 100644
--- a/lib/python/security_db.py
+++ b/lib/python/security_db.py
@@ -274,7 +274,7 @@ class DB:
  subrelease TEXT NOT NULL,
  status TEXT NOT NULL
  CHECK (status IN ('vulnerable', 'fixed', 'unknown', 'undetermined',
-   'partially-fixed', 'todo')),
+   'partially-fixed', 'todo', 'end-of-life')),
  reason TEXT NOT NULL,
  PRIMARY KEY (bug_name, release, subrelease)))
 
@@ -1305,7 +1305,8 @@ class DB:
 AND n.id = vulnlist.note
 ORDER BY vulnlist.package)):
 if fixed_version == '0' or urgency == 'unimportant' \
-   or kind not in ('source', 'binary', 'unknown'):
+or urgency == 'end-of-life' \
+or kind not in ('source', 'binary', 'unknown'):
 continue
 
 # Normalize FAKE-* names a bit.  The line number (which
@@ -1500,7 +1501,8 @@ class DB:
 # packages as vulnerable.  (If unstable_fixed == '0',
 # release-specific annotations cannot create
 # vulnerabilities, either.)
-if total_urgency == 'unimportant' or unstable_fixed == '0':
+if total_urgency == 'unimportant' or unstable_fixed == '0' \
+or total_urgency == 'end-of-life':
 continue
 
 if

Processed: merge

2014-09-22 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 severity 762288 wishlist
Bug #762288 [security-tracker] security-tracker: available versions table is 
unnecessary
Severity set to 'wishlist' from 'normal'
 merge 761963 762288
Bug #761963 [security-tracker] security-tracker: consolidate vulnerable/fixed 
per release in overviews
Bug #762288 [security-tracker] security-tracker: available versions table is 
unnecessary
Merged 761963 762288
 thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
761963: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761963
762288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.c.141142706226717.transcr...@bugs.debian.org