Hi Salvatore,
On Tue, Feb 12, 2019 at 08:13:18AM +0100, Salvatore Bonaccorso wrote:
> I have the attached patch commited in a local branch, but want first
> to confirm is this the final intended URL to reach the DLAs?
> -return
>
package: security-tracker
x-debbugs-cc: debian-...@lists.debian.org
Hi,
this is a bug to track fixing this small glitch in the new
www.debian.org/lts/security/ area:
On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote:
> >> * Adaptation in the security tracker so the new URL paths
On Wed, Nov 14, 2018 at 07:45:59PM +0100, Moritz Muehlenhoff wrote:
> Nearly all the tasks of actually editing the data require a look at the
> complete
> data, e.g. to check whether something was tracked before, whether there's an
> ITP
> for something, whether something was tracked as NFU in
On Tue, Nov 06, 2018 at 07:45:24AM +0100, Salvatore Bonaccorso wrote:
> > DLA link is broken.
> > e.g. https://security-tracker.debian.org/tracker/DLA-1445-1 page
> > "SourceDebian LTS" points to
> > https://www.debian.org/security/2018/dla-1445
> > but there's no such page.
> Cf. #762255
On Sat, Sep 01, 2018 at 12:43:58PM +0800, Paul Wise wrote:
> > So, I always go to [1] with my web browser, copy the URL of the .dsc file
> > and then dget that .dsc file.
> This misses out verifying apt signatures.
the .dsc file is signed and dget verifies it.
--
cheers,
Holger
On Tue, Dec 26, 2017 at 03:29:08PM +0100, Salvatore Bonaccorso wrote:
> FTR, so now that the beta for salsa.d.o has been announced I started
> to look on what further is needed and recorded further findings in
> TODO.gitmigration.
\o/
thanks for doing this work!
> [...] Personally I still would
On Wed, Mar 29, 2017 at 07:29:06AM +0200, Salvatore Bonaccorso wrote:
> The security-tracker side of this has been implemented now, Paul Wise
> did the corresponding work.
cool! thanks Paul!
--
cheers,
Holger
signature.asc
Description: Digital signature
Hi Grant,
On Donnerstag, 7. Januar 2016, Grant Murphy wrote:
> I'm trying to build a tool that monitors security issues across a
> number of different sources. One of which was the Debian security
> tracker.
cool!
> I had hoped to periodically poll this url:
>
package: security-tracker
x-debbugs-cc: Raphael Geissert geiss...@debian.org
Hi Raphael,
httpredir as used for security-tracker.debian.org has some problems updating
some Packages files, _sometimes_. IOW: i've seen this working on my laptop,
but not when deployed on soler. The url exists... (or
Hi Salvatore,
On Dienstag, 5. Mai 2015, Salvatore Bonaccorso wrote:
I think two more changes were actually needed to get the testing
status view show the correct information: r34072 and 34073.
good catch, thanks!
cheers,
Holger
signature.asc
Description: This is a digitally signed
package: security-tracker
severity: wishlist
Hi,
3fa31ab2a22a7e6db606899ca3ee6cb45a7884d1 / svnr33868 is commit showing what
needs to be done on upgrades, specifically these files need to be updated:
Makefile# search for release-names
bin/tracker_data.py # search for
Hi Francesco,
On Montag, 27. April 2015, Francesco Poli wrote:
3fa31ab2a22a7e6db606899ca3ee6cb45a7884d1 / svnr33868 is commit showing
I am sorry to ask, but... is this commit supposed to be already live?
yes it is.
I am asking since I still see a tracker situation inconsistent with the
Hi Raphael,
On Montag, 20. April 2015, Raphael Hertzog wrote:
I just noticed that DLA/DSA end up referenced as security issues. See
for example DLA-204-1 and DLA-27-1 assigned to file.
That's a bug, thanks for notifying. I will fix it soon, latest on saturday
when I'll add oldoldstable
x-debbugs-cc: 761859, hert...@debian.org
package: security-tracker
severity: wishlist
Hi,
On Montag, 16. März 2015, Raphael Hertzog wrote:
Another nice thing to add in the generated file is whether the package is
listed in dsa-needed.txt and dla-needed.txt.
That would be two boolean fields
Hi Raphael,
On Montag, 16. März 2015, Raphael Hertzog wrote:
I'm currently trying to use the generated json but the data below the
releases field doesn't correspond to what we discussed. It contains
entries like wheezy-security or squeeze-security when it was supposed
to have only the
Hi,
unless someone objects profoundly I'll switch the links from the security-
tracker to to tracker.debian.org instead of pointing to the old PTS in the
coming days.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Hi,
On Freitag, 27. Februar 2015, Paul Wise wrote:
To clarify, I was suggesting keep the version numbers in the
repositories section but only keep fixed version numbers in the
releases section. Also, the fixed version numbers appear to be
incorrect, for example the website says CVE-2012-6656
Hi,
On Montag, 9. März 2015, Raphael Hertzog wrote:
But I wonder why you have such problems? Aren't you storing the result
in memory and then letting a json lib output the data?
I dont, as I've converted the previous yaml output to json, because I liked
the humand readability of the result...
Hi,
On Montag, 9. März 2015, Raphael Hertzog wrote:
I don't understand. IIRC we said the content of repositories and
releases was supposed to have the same structure. The only difference
was that it applied to different versions of packages.
I think the confusion might be because you stated
Hi,
I have deployed this now. It might be that fixed_version=0 means not
affected but i'm not sure yet and my mind wants a break (for a moment)...
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Hi Florian,
On Donnerstag, 26. Februar 2015, Florian Weimer wrote:
There used to be a job that downloaded the full description from the
NVD web service and put it into the nvd_data table (update-nvd and
DB.updateNVD()). The web service looks at this table and prefers the
descriptions found
Hi Paul,
On Donnerstag, 26. Februar 2015, Paul Wise wrote:
I noticed the description fields are truncated, is that intentional?
that's all that is stored in the db...
What about making the structure like this?
why? :)
I'm guessing the code only
produces one instance of each package.
yes
control: tags -1 + pending
Hi,
so I've deployed my patches now and you can get json at
https://security-tracker.debian.org/tracker/data/json now.
I haven't tested the output against a json validator yet... so feedback
welcome and I do expect some more work to do...
Important change:
- CVEs
Hi Raphael,
thanks for your feedback! I got a consistent idea now.
On Mittwoch, 25. Februar 2015, Raphael Hertzog wrote:
- if a CVE is neither fixed in lts/security/(squeeze|wheezy), but the
version in lts/security differs from squeeze|wheezy, which version+suite
to display as affected?
Hi,
On Dienstag, 24. Februar 2015, Paul Wise wrote:
I think it would be useful to provide the non-aggregated version for
folks who only use some of the stable suites. Not sure if the sectracker
has information about stable-proposed-updates but if so it would be good
to include it too.
it
Hi,
On Dienstag, 24. Februar 2015, Richard Hartmann wrote:
Depending on your layout, you don't really need two different JSON
files, though.
how would you distinguish between squeeze, which includes lts and security,
and squeeze, which doesnt? Same for wheezy (and security and not).
cheers,
Hi,
On Montag, 23. Februar 2015, Raphael Hertzog wrote:
The only missing data I see is the Debian bug report assigned to each CVE.
I'll add that.
And you call the file json but it contains YAML :-)
yeah, fixed in the last attached patch, but I will rewrite it to actually
output json...
Hi,
On Montag, 23. Februar 2015, Paul Wise wrote:
Hmm, it appears that these are the default urgency from NVD and the ones
without asterisks are ones set by SVN committers. That doesn't appear to
be a distinction worth preserving but it is fine to do so.
I kept it under the premise of
: Holger Levsen hol...@layer-acht.org
Date: Sun, 22 Feb 2015 00:39:00 +0100
Subject: [PATCH] Dump data as .yaml via /tracker/data/yaml (Closes: #761859)
---
bin/tracker_service.py | 48
1 file changed, 48 insertions(+)
diff --git a/bin
updated in r30231, thanks Scott!
signature.asc
Description: This is a digitally signed message part.
Hi,
On Dienstag, 23. September 2014, Michael Gilbert wrote:
There is a page that lists candidates for DTSA (Debian Testing
Security Announcements), which aren't actually done anymore
I can remove it, if it's really not used at all anymore.
, but
something like that would be very useful for
Hi Raphael,
thanks for your work on triaging oldstable related CVEs!
On Montag, 22. September 2014, Raphael Hertzog wrote:
1/ is there a page on the security tracker that lists packages with
open vulnerabilities in stable/oldstable which are neither unimportant,
nor marked no-dsa and not
Hi,
On Montag, 22. September 2014, Christoph Biedl wrote:
While the new appearence of the security tracker is a *huge*
improvemnt, both in information details and design, thanks for that,
thanks!
As a suggestion for the above issue:
+ squeeze, squeeze (security) 5.04-5+squeeze5 [gray]No
here, and the EOL code can also be refactored, once the modell is redone :)
cheers,
Holger
From a96948b3ef4e4a40107cc8f00b9af584b6d26fb6 Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Sat, 13 Sep 2014 02:02:42 +0200
Subject: [PATCH] Display end-of-life information
by release, subrelease
and archive.
Shall I push this patch into SVN?
cheers,
Holger, finally finished chasing what he thought was a low hanging
fruit ;)
From f1841ee6be909cd6c8e8c8bf94385edf9637954f Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Fri, 19 Sep 2014 17:02
Hi Salvatore,
On Donnerstag, 18. September 2014, Salvatore Bonaccorso wrote:
Disclaimer, only gave a quick look. Thanks again for the work :).
:-)
I noticed when checking some random packages, that the version
information tough is not correct. I take again the bind9 example for
control: tags -1 - pending
# rather help is welcome to fix improve the regex as described in the bug log
# (see previous mail to the bug)
signature.asc
Description: This is a digitally signed message part.
package: security-tracker
Hi,
the ordering of the releases (sid, jessie, wheezy...) and issues (open and
resolved CVEs, DSAs, etc) is not consistent in the tracker web ui (and was
undeterministic in parts).
So what do we have, there are basically two views:
package-centric, like
Hi,
On Montag, 15. September 2014, Thijs Kinkhorst wrote:
What would be the actual benefits of moving to Git and I'm not talking
git log, git show, git stash and git branch and cherry-pick...!!
Working with a decentralized and fast(!) version control system locally is
so much more fun +
Hi Salvatore,
On Samstag, 13. September 2014, Salvatore Bonaccorso wrote:
This changes the ordering in the 'Security announcements section,
ordering it by release date of the DSA/DLA, right? So for example
file will show with your patch:
DSA / DLA Description
DLA-50-1 file - security
Hi,
On Montag, 15. September 2014, Salvatore Bonaccorso wrote:
Hmm, would something wrapping around of the following work?
sounds like a good start...
Considering there might be more than one matching group in each line,
so the example holds only for a simplest case again :(
are there
control: tags -1 + pending
Hi,
see attached. This version also deals with several URLs in one note :)
It also works for all three recent examples of Salvatore.
cheers,
Holger
From 7b4ea6cc46ffc1a507d94c2a13ef3c27e3123031 Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer
Hi Salvatore,
On Montag, 15. September 2014, Salvatore Bonaccorso wrote:
https://security-tracker.debian.org/tracker/CVE-2011-2825
hmpf, that works for 1 out 3, the other 2 are detected as one :/
We only have a handfull of those, so: If you find a solution to catch
also these then good.
Hi,
updated patch attached.
cheers,
Holger
commit da14dc2780b7f3e3a1bde8cbd526eb271497fde2
Author: Holger Levsen hol...@layer-acht.org
Date: Sat Sep 13 02:02:42 2014 +0200
Display end-of-life information in the web view. (Closes: #642987)
diff --git a/bin/tracker_service.py b
control: tags -1 + pending
signature.asc
Description: This is a digitally signed message part.
package: tracker.debian.org
severity: wishlist
x-debbugs-cc: debian-security-tracker@lists.debian.org
Hi,
the information gathered in the security-tracker should be displayed in the
package tracker.d.o.
There is an interface for it, see
https://security-tracker.debian.org/tracker/data/pts/1
Hi,
we really need to refactor the codebase eventually ;-)
I've thought about treating backports as subrelease, but I've came to the
conclusion that would be wrong.
See attached.
cheers,
Holger
From aaee1f290a7d96f8dcdff412fd9207b0a5a77bc2 Mon Sep 17 00:00:00 2001
From: Holger
control: tags -1 + pending
# *lalala*
# preview in ssh://git.debian.org/git/collab-maint/secure-testing.git
# not yet merge ready though, but a nice preview
thanks
# mostly not my work, just very *lalala* :)
signature.asc
Description: This is a digitally signed message part.
!
Holger
From 1317d0e6a710195c3012f6b84afeebddfddfde20 Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Sun, 14 Sep 2014 22:36:54 +0200
Subject: [PATCH 1/4] tracker_service.py: add support for external css files
---
bin/tracker_service.css | 0
bin
on top. The reasoning because it has been
like this since always is not so convincing.
cheers,
Holger
cheers,
Holger
From 808d4d51b67cf8a756c3bfbd290c2ade2d8a Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Sat, 13 Sep 2014 01:47:11 +0200
Subject: [PATCH
Hi,
attached are three small no brainer fixes I'd like to apply, please confirm :)
cheers,
Holger
Index: lib/python/bugs.py
===
--- lib/python/bugs.py (Revision 28738)
+++ lib/python/bugs.py (Arbeitskopie)
@@ -886,8 +886,9
Hi,
On Freitag, 12. September 2014, Thijs Kinkhorst wrote:
Looks good to me.
I've commited these now.
Personally, I'd be fine with you just committing your stuff. People will
be looking at commit messages anyway. And in case of trouble things are
easily rolled back...
I could do that, but
Hi,
I think this is clearly a bugfix ;-) Please comment.
Both open and resolved issues will be inverse sorted, so that newest CVEs will
be on top of the list.
cheers,
Holger
commit dd7b75472e00cea9759eb6554decf26c6fe8eb11
Author: Holger Levsen hol...@layer-acht.org
Date: Sat Sep 13
Hi,
commit baa7d44e460efe2b24e7b029633701cd29986d0d
Author: Holger Levsen hol...@layer-acht.org
Date: Sat Sep 13 01:23:35 2014 +0200
Sort releases correctly in tabular view. (Closes: #742855)
diff --git a/lib/python/security_db.py b/lib/python/security_db.py
index 9a25ad6..8580d5b 100644
Hi,
commit b22f1ba0cd9499e716f7b729f546a98bd4950dda
Author: Holger Levsen hol...@layer-acht.org
Date: Sat Sep 13 01:47:11 2014 +0200
Display oldstable/stable security and olstable-lts repositories
in tabular view. (Closes: #742382)
diff --git a/bin/tracker_service.py b/bin
',
- 'partially-fixed', 'todo')),
+ 'partially-fixed', 'todo', 'end-of-life')),
I left it in for now.
commit 07399db5abecc0e5b79b70f2a0b47bb3519dabdd
Author: Holger Levsen hol...@layer-acht.org
Date: Sat Sep 13 02:02:42 2014 +0200
Display end
Hi,
On Mittwoch, 10. September 2014, Moritz Muehlenhoff wrote:
It's only that noone has come around to change this. But since you now
have experience with the code base... :-)
grummel, this seems to be true ;)
from what I've said on irc just now:
* | h01ger is happy to report that he has
Hi,
On Donnerstag, 11. September 2014, Holger Levsen wrote:
(oh, and it now just shows squeeze and squeeze-lts, as it would show wheezy
and wheezy-security if that were in source_packages... I'm tempted to debug
this now, but really need to do other stuff first :)
grummel. and so
Hi Salvatore,
so you want more recent CVEs up and older CVEs down?
(So far I achieved that for Security announcements but neither for Open
issues nor Resolved issues...)
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
control: tags -1 + pending
Hi Salvatore,
On Donnerstag, 11. September 2014, Salvatore Bonaccorso wrote:
No, not about the CVE ordering, but the collumns in the tabular view.
They are not generated consistently. For example if you look at [1],
it says
[...]
Others are correct, for example
Hi Moritz,
can you please give another example for an issue we don't care about because
the package' support has reached end-of-life? CVE-2010-3908 had been fixed
after all, despite being unsupported...
cheers,
Holger
signature.asc
Description: This is a digitally signed message
control: tags -1 + pending
Hi,
so I said on irc:
h01ger | http://127.0.0.1:10605/tracker/CVE-2014-2242 shows me that
mediawiki has reached EOL in squeeze, it's just not shown on
http://127.0.0.1:10605/tracker/source-package/mediawiki (in the Available
versions) table, thus i'm not
Hi,
I've fixed
#742382 [i|P|=] [security-tracker] security-tracker: tablular view doesn't
#642987 [n|P| ] [security-tracker] Entries marked as end-of-life should not
#742855 [n|P| ] [security-tracker] security)
#610220 [w|P| ] [security-tracker] Show URLs in TODO/NOTE as hyperlinks in
package: security-tracker
severity: important
x-debbugs-cc: debian-...@lists.debian.org
Hi,
the tracker doesnt show issues which are only closed in the security or lts
subreleases as closed, as for example can be seen on https://security-
tracker.debian.org/tracker/source-package/file
eg
Hi Salvatore,
On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote:
The tabular view clearly would need some improvement and making clear
where the fix is already, e.g. wheezy-security but not yet wheezy. I
try to explain. The version tracked on the individual CVE pages is
*correct*
Hi Florian,
On Sonntag, 31. August 2014, Florian Weimer wrote:
* Holger Levsen:
-# security_db.py -- simple, CVE-driven Debian security bugs database
+# lts_db.py -- simple, CVE-driven Debian security bugs database
This change appears unnecessary.
right (ouch)
- AND sp.subrelease
Hi,
On Sonntag, 31. August 2014, Florian Weimer wrote:
That's indeed much better. I've made this additional change.
:)
around line 790 there is also:
# Copy notes from DSA/DTSA/DLA to CVE.
...
SELECT source, target FROM bugs_xref
WHERE (source LIKE 'DTSA-%' OR source LIKE 'DSA-%' OR source
Hi,
On Sonntag, 31. August 2014, Florian Weimer wrote:
You mean, with TEMP-%?
yeah, thats what I ment...
It's currently not possible to address TEMP- vulnerabilities reliably,
so they cannot occur as copy targets.
ah!
cheers,
Holger
signature.asc
Description: This is a
control: reassign -1 security-tracker
the bug reads:
package: security-tracker.debian.org
severity: wishlist
Hi,
looking at https://security-
tracker.debian.org/tracker/status/release/oldstable (unstable too) it seems to
me the urgency field is rather unused, for oldstable all entries are
Hi Florian,
On Donnerstag, 25. Februar 2010, Florian Weimer wrote:
why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists
4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1
is not in Debian anywhere anymore...
We somehow missed the removal of the alpha
Hi,
why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists
4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is
not in Debian anywhere anymore...
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
71 matches
Mail list logo