Re: [Secure-testing-commits] r28952 - in data: . CVE

To: Moritz Muehlenhoff <jmm@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: [Secure-testing-commits] r28952 - in data: . CVE
From: Raphael Hertzog <hertzog@debian.org>
Date: Mon, 22 Sep 2014 14:11:07 +0200
Message-id: <[🔎] 20140922121107.GA20870@x230-buxy.home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, debian-security-tracker@lists.debian.org
In-reply-to: <E1XW0al-00065J-V8@moszumanska.debian.org>
References: <E1XW0al-00065J-V8@moszumanska.debian.org>

Hi,

Side remark: Could we get reply-to set to
debian-security-tracker@lists.debian.org on the commit mails?

On Mon, 22 Sep 2014, Moritz Muehlenhoff wrote:
> Modified:
>    data/CVE/list
>    data/dsa-needed.txt
> Log:
> remove unfixed entries for squeeze, all older versions in the older suites
>   are unfixed by default

I knew this and I asked this on IRC #debian-security without getting any
reply:
10:51 <buxy> does it hurt to add "[squeeze] - <unfixed>" even though the
tracker knows it already? It could be useful as a confirmation that someone
investigated the issue and confirmed that squeeze is affected.

> remove apache2 from dsa-needed, only one debatable issue is open for wheezy

Why don't you add <no-dsa> at the same time then?

The severity of the issue was unclear to me as well and I asked for guidance on IRC
without much success:
10:19 <buxy> So I want to do a bit of CVE triaging (targeting oldstable) and I
want to double check as I'm quite new to this.
10:20 <buxy> I start at the top of the list and I see apache2 with CVE-2013-5704
10:20 <buxy> that CVE seems rather old, but it has no classification
whatsoever, it's not marked <no-dsa> and also not marked unimportant.
10:23 <buxy> Is it common to have very old CVE entry without any decision on
severity and whether it warrants a DSA/DLA or not?
10:27 <jcristau> it's not all that old, it was fixed in sid like yesterday
10:31 <thijs_> buxy: the year in the cve name is based on the original year of
discovery, not of assignment
10:31 <thijs_> so if a bug was found in 2013 but e.g. it's security impact only
became apparent today, it will get a cve-2013-xxxx
10:31 <buxy> ah, ok
10:33 <buxy> I'm wondering whether it should be classified low or medium. The
vulnerability depends on a specific user configuration but it could result in
some web applications granting undue privileges to remote users exploiting it.
[ no answer ]

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: [Secure-testing-commits] r28952 - in data: . CVE
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: External check
Next by Date: Guidance on <no-dsa> and adding entries to dsa/dla-needed.txt
Previous by thread: Bug#762289: security-tracker: link to new pts
Next by thread: Re: [Secure-testing-commits] r28952 - in data: . CVE
Index(es):
- Date
- Thread