Florian Weimer wrote: > REJECTED, RESERVED, NOT-FOR-US replace the corresponding "NOTE:" > variants. Parsing the old tags is rather fragile because NOTE: is > essentially a free-form field, so we often miss spelling errors. (The > old tags remain valid, though -- there is no need to replace them at > this point.)
Good idea on rejected and reserved. Not sure about not-for-us, part of the resaon we put the name of the software in parens is to aid finding bugs in software if it does end up entering Debian later on. This information can be hard to get from CAN descriptions otherwise. Also to record what software name we checked for in Debian, in case it turns out we didn't look for the right thing or something like that. So I think it's worthwhile to continue including that information in not-for-us. > "INVALID" means that the bug report is known to be false. For > example: > > CVE-2003-0024 > INVALID > NOTE: I have mailed Goran Weinholt <[EMAIL PROTECTED]> about this. > NOTE: Goran Weinholt <[EMAIL PROTECTED]> tell me that aterm 0.4.2 was > NOTE: never vulnerable to the problem described. > NOTE: this CVE is bogus. Not sure how this is better than just the NOTEs by themselves. > "NOT-A-BUG" means that the bug report is factually correct, but we do > not view this as a vulnerability. Example: > > CAN-2005-2541 (Tar 1.15.1 does not properly warn the user when extracting > setuid or ...) > NOT-A-BUG > NOTE: This is intended behaviour, after all tar is an archiving tool > and you > NOTE: need to give -p as a command line flag This is already handled by the "unimportant" severity, which also lets us cross-reference to the bug report in case we want to revisit it later. > "IRREPRODUCIBILE" means that we have made reasonable effort to > reproduce the bug (mailing list research, rough source code audit, a > few exploit attempts), but we haven't found any evidence that it's > actually there (or has been fixed in the past). For example: > > CAN-2001-1429 (Buffer overflow in mcedit in Midnight Commander 4.5.1 allows > local ...) > IRREPRODUCIBILE > NOTE: I could track this down to this posting > NOTE: > http://cert.uni-stuttgart.de/archive/vuln-dev/2001/11/msg00104.html > NOTE: This looks very obscure an does not contain useful information on > how this > NOTE: was triggered and even then it's not a problem, as mcedit usage > does not > NOTE: have a remote impact and is not suid What's the value in having this be machine parseable? -- see shy jo
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
