Re: scponly issue

the configured security policy, so high is warranted. I'll make sure that we release an appropriate update for stable. -- Florian Weimer[EMAIL PROTECTED] BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe

Re: DSA-1615-1 vs. tracker

* Gerfried Fuchs: I guess as I haven't received any feedback about my patch to the Makefile it is fine to commit that? I will try to dig into how to produce outstanding issue pages for volatile and backports next then. I think we also need to implement some form of version name mutilation

Re: Conflicting Information on CVE-2008-3699 Page

* Moritz Muehlenhoff: The CVE-2008-3230 page seems to have the same problem. What would need to be done to fix this? I may have some time to look at the code and make it work better -- if someone can tell me where to start. Is the code that generates these pages contained in the

Re: patch for Makefile for security-tracker

* Gerfried Fuchs: I started to take a look at the svn repository and produced this short patch as first approach to get backports integrated: In the secure-testing Subversion repository, there's now a version of the security tracker which provides an overview page for stable backports. In

Re: Need to track clamav vulnerability

* Michael Gilbert: there is currently an unpatched vulnerability in clamav (stable and testing) which has yet to receive a cve id. the bug has been submitted to the debian bts [1], but it has not yet been entered into the security tracker. please update the tracker to include this issue.

Re: patch for Makefile for security-tracker

* Florian Weimer: I will put it onto the live system once I'm more confident that it's actually correct. It's on the live system now. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Bugs in debsecan feed for etch

* Sheldon Hearn: Indeed, most of the false positives are gone this morning. The vim ones remain: CVE-2008-2712 vim-common (fixed, medium urgency) CVE-2008-2712 vim (fixed, medium urgency) CVE-2008-2712 vim-runtime (fixed, medium urgency) This turned out to be misentered data. I've fixed

The release and the tracker

The tracker needs to be updated to reflect the stable - oldstable shift, and the addition of the squeeze suite. The latter is only possible after squeeze has landed on the mirrors, so it will take a couple of hours. I hope to be able to implement the transition tomorrow morning (2008-02-15 CET,

Re: Severity of application launcher issues

* Michael S. Gilbert: I submitted the recent application launcher issues into the tracker with medium urgency, and the severity was subsequently reduced to low. I had followed the categorization guidelines [1], and medium seemed like a better fit since malicious code execution is possible

Re: The release and the tracker

* Florian Weimer: The tracker needs to be updated to reflect the stable - oldstable shift, and the addition of the squeeze suite. The latter is only possible after squeeze has landed on the mirrors, so it will take a couple of hours. The transition has been completed. Please report

Re: Tracker vs. testing: not OK

* Francesco Poli: However, many other vulnerabilities are still considered as unfixed in squeeze and fixed in lenny at the same time, with both branches having the same exact package version. Thanks for providing the list. As announced, we do not provide full testing-security for a few

Re: No DSA-1768-1 on the tracker

* Francesco Poli: DSA-1768-1 was issued yesterday, but no corresponding tracker page is present yet. Is there any problem with the automatic creation of DSA tracker pages? There was a typo in the subject line of the DSA, that's why the automatic update failed. The DSA should be available on

Re: No tracker page for DSA-1861-1

* Michael S. Gilbert: On Fri, 14 Aug 2009 00:58:46 +0200 Francesco Poli wrote: Hi all! I cannot yet find any tracker page for DSA-1861-1 [1]. Please add it by hand, if the automatic mechanism failed somehow. done. By the way, usually, you can pipe the DSA through dsa2list, and it will

Re: CVE-2010-0286 and affected versions

* Holger Levsen: why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists 4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is not in Debian anywhere anymore... We somehow missed the removal of the alpha architecture from squeeze. Thanks for spotting

Re: CVE-2010-0286 and affected versions

* Moritz Muehlenhoff: On Thu, Feb 25, 2010 at 10:40:35PM +0100, Florian Weimer wrote: * Holger Levsen: why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists 4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is not in Debian anywhere anymore

Re: Refactoring the tracker

* Michael Gilbert: How about making use of a more standardized set of python features such as dictionaries for the database, and possibly storing those to disk using pickles The actual data is just 44 MB as an SQLite database, so this might work indeed. I had planned to use smaller pickles

A new ambiguity

I have found what appears to be a previously unknown ambiguity in the tracker input data. Consider these two DSAs: [01 May 2009] DSA-1785-1 wireshark - several vulnerabilities {CVE-2009-1210 CVE-2009-1268 CVE-2009-1269} [lenny] - wireshark 1.0.2-3+lenny5 [29 Nov 2009] DSA-1942-1

Re: Refactoring the tracker

* Raphael Geissert: Florian Weimer wrote: Another issue which has gained some significance lately is that the package and CVE lists have grown quite a bit, leading to longer and longer processing times on soler. I've removed a few unused features to speed things up a bit, but it seems

Re: Refactoring the tracker

* Michael Gilbert: Along with Raphael's suggestion, perhaps during updates we could load the new dictionaries into memory concurrently with the old ones. Then we could compare the two and only act on items that actually have differences before pushing the new updates. As long as things fit

Re: A new ambiguity

* Michael Gilbert: this has actually come up every now and then, and we have just had to accept the wrongness. i was actually planning to implement the above solution at some point, but hadn't found the time. i don't think the additional repetition is too burdensome since the CVE info is

Re: pilot-qof dpkg-cross reports in PTS

* Neil Williams: I don't see the same problem with my other packages' PTS pages, just these two: http://packages.qa.debian.org/d/dpkg-cross.html This is caused by an unimportant issue, it seems: http://security-tracker.debian.org/tracker/CVE-2008-4950

More stable temporary names and URLs

We have changed the tracker to use temporary names containing truncated hashes of the description. This means that URLs such as http://security-tracker.debian.org/tracker/TEMP-000-9A49E3 are more stable now. Basically, they are invalidated only if the description changes or a CVE name is

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Package: security-tracker Severity: wishlist NOTE: see http://www.example.com/info.html; should render as NOTE: see a href='http://www.example.com/info.html'codehttp://www.example.com/info.html/code/a or something similar. -- To UNSUBSCRIBE, email to

Bug#610222: http://security-tracker.debian.org/tracker/data/releases broken

Package: security-tracker Severity: normal The per-suite architecture list is currently broken (,, 0, 3, 4, 6, 8, 9, a, c, d, e, h, i, l, m, o, p, r, s, w). -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

Bug#479727: security-tracker: Show unimportant issues in some way on package overview

* Thijs Kinkhorst: Currently, issues marked as unimportant disappear entirely off the radar, which is not a big problem. I think for clarity however it would be better if they were displayed somewhere so users can see we know that such a CVE applies to the package, but we just disregard it.

Bug#610227: Move scripts driven by cron etc. to separate directory

Package: security-tracker Severity: wishlist In the secure-testing repository, the scripts which aren't supposed to be run by regular committers should be moved from the bin directory, so that there is less clutter there. -- To UNSUBSCRIBE, email to

Re: Squeeze release vs. tracker

* Thijs Kinkhorst: I've changed the code right after squeeze's release. I've also restarted the tracker service. Apparently this is not enough - Florian, can you help? Changing the views required a schema update. I've switched to temporary views, and it should work now. I also fixed the

Re: DSA-2233-1 vs. tracker

* Francesco Poli: On Thu, 12 May 2011 22:13:00 +0200 Florian Weimer wrote: * Francesco Poli: It seems to me that the DSA-2233-1 tracker page [1] lacks the reference to CVE-2009-2939, which is instead present in the actual DSA [2]. Is there a reason for this, or is it just

Re: issues with version tracking

* Yves-Alexis Perez: CVEs for the radvd issues look weird on the tracker. For example, not so long ago sid had 1:1.8-1 (unfixed) while wheezy had 1:1.8-1.2 (fixed). Now both have 1:1.8-1 (while indeed the NMU reached testing today, so both sid and wheezy are fixed). Anyone knows what

Re: The tracker is no longer updated

* Moritz Mühlenhoff: It looks as if the tracker instance doesn't update the Packages file properly. Florian, can you look into it? A download from cdn.debian.net was stuck. I'll try to add a timeout, so that in the future, recovery will be fully automated. -- To UNSUBSCRIBE, email to

Re: CVE-2013-0240 misreported as fixed in experimental

* Simon McVittie: https://security-tracker.debian.org/tracker/CVE-2013-0240 says: gnome-online-accounts wheezy 3.4.2-1 vulnerable sid 3.4.2-2 fixed experimental 3.6.1-1 fixed but the bug is not fixed in experimental, and the BTS'

Re: CVE-2013-0240 misreported as fixed in experimental

* Thijs Kinkhorst: Hi Florian, On Fri, February 8, 2013 21:28, Florian Weimer wrote: Good point. We shouldn't have experimental in the tracker because it doesn't work - in general, the fixed versions from unstable cannot be applied there. As there was another confusion about this today

Re: Post-release changes on soler

* Florian Weimer: FYI, I'm trying to implement the post-release changes on soler, the host for security-tracker.debian.org. The NVD feed is gone (all the XML files are empty), so I'm disabling that temporarily. The web site should follow the Subversion repository again. -- To UNSUBSCRIBE

Re: security-tracker now on https?

* Peter Palfrader: The solution I'm favouring right now is to get a single *.debian.org wildcard from the cartell and spread it far and wide. The contract terms usually do not allow this. We could ask StartSSL or some other CA if they would issue certificates to us in a convenient way. --

Re: security-tracker now on https?

* Stephen Gran: This one time, at band camp, Florian Weimer said: * Peter Palfrader: The solution I'm favouring right now is to get a single *.debian.org wildcard from the cartell and spread it far and wide. The contract terms usually do not allow this. We could ask StartSSL or some

Re: security-tracker now on https?

* Martin Zobel-Helas: No, wildcards certificates are generally only licensed for installation on a single server. http://www.digicert.com/wildcard-ssl-certificates.htm And every DigiCert wildcard certificate comes with an unlimited server license, so you only pay once—whether you have one

Schema reorganization for package_notes table

The package_notes table currently looks like this: CREATE TABLE package_notes (id INTEGER NOT NULL PRIMARY KEY, bug_name TEXT NOT NULL, package TEXT NOT NULL, fixed_version TEXT CHECK (fixed_version IS NULL OR fixed_version ''),

security-tracker.debian.org redirects fixed

The tracker assumed it was running an http:// service and generated https:// URLs, including in redirects. For some reason, my Firefox didn't like these, and I think it's because Strict Transport Security was activated at one point. I switched all URLs to https://, so the redirects should work

Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/

* Stephen Gran: This one time, at band camp, Florian Weimer said: Hi, I plan to switch the debsecan data source to URLs below: https://security-tracker.debian.org/tracker/debsecan/release/1/ I don't know how much traffic this will generate eventually. Would it be possible to tweak

Bug#759727: patches for including LTS into security-tracker.d.o

* Holger Levsen: -# security_db.py -- simple, CVE-driven Debian security bugs database +# lts_db.py -- simple, CVE-driven Debian security bugs database This change appears unnecessary. - AND sp.subrelease 'security' + AND sp.subrelease 'security' AND p.subrelease 'lts'

Re: Switching the tracker to git

My guess is that the only reason that subversion is still used is inertia and that people would be happier with git. However, I'm curious to know if anyone thinks otherwise? For releasing security advisories, we need the centralized repository to gurantuee uniqness of DSA numbers. I'm also

Re: debsecan now on Gitorious

* Raphael Hertzog: On Sun, 22 Feb 2015, Florian Weimer wrote: I've moved the debsecan Git repository to Gitorious. Please speak up if you want to be added to the push ACL. Out of curiosity, why not on git.debian.org ? As far as I understand it, there's no effective separation between user

debsecan now on Gitorious

I've moved the debsecan Git repository to Gitorious. Please speak up if you want to be added to the push ACL. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive:

Bug#761859: yaml...

* Holger Levsen: the patch currently creates yaml, not json. Which do you prefer? JSON has less risk of unwanted data execution when deserializing. It is also supported by Python out of the box, so it's more natural for the successor of the custom debsecan format (which I created when Python

Bug#761859: security-tracker json deployed

* Holger Levsen: On Donnerstag, 26. Februar 2015, Paul Wise wrote: I noticed the description fields are truncated, is that intentional? that's all that is stored in the db... There used to be a job that downloaded the full description from the NVD web service and put it into the nvd_data

Re: Crippling query plan change between 3.7.13 and 3.8.10.2

* Florian Weimer: I will figure out a way to rewrite the query so that it runs reasonably fast again (which will address our immediate needs), but maybe there is something that can be fixed in the planner as well. I committed something and restarted the daemon. The page still loads extremely

Re: upgrading soler.d.o

* Salvatore Bonaccorso: If one tries to access the JSON format url this triggers the issue. Thanks for isolating the issue and providing a test case. I can reproduce locally. It may not be a memory leak, but a change in the SQLite query planner. The problematic query appears to be: SELECT

Crippling query plan change between 3.7.13 and 3.8.10.2

The Debian security tracker https://security-tracker.debian.org/ uses an SQLite database to keep track of vulnerabilites and generate reports. We recently upgraded SQLite from 3.7.13 to 3.8.7.1 as part of an operating system upgrade and experienced a crippling query planner change. I verified

Re: upgrading soler.d.o

* Peter Palfrader: we'd like to upgrade soler.d.o jessie shortly. Any objections? Should we just do it and let you pick up the pieces, if any, or would you rather stop by in #debian-admin on IRC to coordinate? If you do it closer to the weekend, I'll probably be around to pick up the

Re: Glances: Unprotected XMLRPC server enabled by default

* Jim Mi: > Done. Thanks. For future reference: > On Thu, Oct 10, 2019, 23:09 Salvatore Bonaccorso wrote: > >> Hi Jim, >> >> On Thu, Oct 10, 2019 at 04:31:01PM +0800, Jim Mee wrote: >> > Hi all, >> > >> > I recently found glances

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Francesco Poli: > Please note that the CVE is mentioned in [DSA-4667-1]. > > [DSA-4667-1]: > > > What's wrong with that tracker page? It's something in the NVD data that breaks the HTML escaping.

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Florian Weimer: > * Francesco Poli: > >> Please note that the CVE is mentioned in [DSA-4667-1]. >> >> [DSA-4667-1]: >> <https://lists.debian.org/debian-security-announce/2020/msg00071.html> >> >> What's wrong with that tracker page? > &g

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Salvatore Bonaccorso: > Hi Florian, > > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: >> * Florian Weimer: >> >> > * Francesco Poli: >> > >> >> Please note that the CVE is mentioned in [DSA-4667-1]. >> >> >&

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Salvatore Bonaccorso: > Hi Florian, > > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote: >> * Salvatore Bonaccorso: >> >> > Hi Florian, >> > >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: >>

Re: Stretch-pu

* R. hertoric: > Number of Bugs reported up to date? Sorry, would you please explain? Thanks.