Hi, I wrote some scripts to determine which issues are fixed by migration, DTSA, or removal from testing. Issues that are "fixed" by downgrading to unimportant or not-affected are not included. Currently, the output looks like this:
DTSA: ===== centerim 4.22.1-2lenny1: DTSA-55-1 : centerim - arbitrary code execution CVE-2007-3713: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3713 Migrated from unstable: ======================= libpam-usb 0.4.1-1: <no CVE yet> : pam usb wrongly allows authentication without password in ssh sessions (TEMP-0000000-000573) streamripper 1.62.2a-1: CVE-2007-4337: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4337 Removed from testing: ===================== acidlab: CVE-2006-1590: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1590 I think we could create some daily or weekly summary mails from this data. Is this a useful format? Should we include the long descriptions from the CVEs? I think those are too long. Or is there a source for short descriptions for CVEs that I don't know about? For removed packages, there is the problem that (AFAIK) the release team sometimes removes packages temporarily to ease transitions. This could be confusing for the users. Should the information about removed packages be included? Should we include other information, like scores from NVD or our priorities? In the last week, there have been 0-4 issues fixed per day. Do we want daily or weekly summary mails? For now, the daily output of the script is at http://www.sfritsch.de/~dst/ If you notice any inconsistencies, please tell me. Cheers, Stefan _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
