* Moritz Muehlenhoff: > Florian Weimer wrote: >> > [distribution-tags] - packagename <no-dsa> (This explains, why there is no >> > DSA) >> >> I'm wondering if this is the correct format. Wouldn't it make sense >> to generate a web page for http://www.debian.org/security/ from this >> data? If yes, you might want to have a bit more space for >> explanations than that. > > At a later stage this could be used to generate > http://www.debian.org/security/nonvulns-sarge and the like, yes. These > explanations are also only a single line. If there's the need for a > more verbose form the bug should cover it anyway.
Oh, maybe we should tweak the syntax so that a reference to a bug report can be included. > This would be an example: > CVE-2005-4357 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when > ...) > [sarge] - phpbb2 <no-dsa> (Affects only a config option that is > inherently insecure) Okay, I've added something to the parser. The information is not really included in vulnerability calculations, yet. I'm not really sure how to handle this in debsecan. > So, maybe debsecan could list these issues as "unfixed for a reason"? Or you > simply leave them as unfixed, but please ensure that the Python lib doesn't > choke about the new syntax element. Sure, please give it a try. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
