Bug#741713: security-tracker: in the list of resolved issues, list releases and versions where fixes happened

To: 741713@bugs.debian.org
Subject: Bug#741713: security-tracker: in the list of resolved issues, list releases and versions where fixes happened
From: Neil Williams <codehelp@debian.org>
Date: Fri, 10 Dec 2021 10:17:17 +0000
Message-id: <[🔎] 20211210101717.53aab663@felix.codehelp>
Reply-to: Neil Williams <codehelp@debian.org>, 741713@bugs.debian.org
In-reply-to: <1394942269.9102.82.camel@chianamo>
References: <1394942269.9102.82.camel@chianamo>

On Sun, 16 Mar 2014 11:57:49 +0800 Paul Wise <pabs@debian.org> wrote:
> Package: security-tracker
> Severity: wishlist
> 
> It would be useful to people using modified versions of packages if
> the security tracker listed releases and versions where fixes
> happened in the list of resolved issues. Combined with a fix for
> #611162 and or a link to a debdiff or the fixed version from
> snapshot.d.o this could be very useful for people wanting to apply
> fixes to internally modified packages and to the security teams of
> Debian derivatives.
> 
> https://security-tracker.debian.org/tracker/source-package/samba

The detail page for each CVE lists the release and version information
and has a link to the PTS to get more information on the changes in the
version. (This also provides the link to the changelog for #611162).

e.g. https://security-tracker.debian.org/tracker/CVE-2021-23192

The notes for a CVE will, wherever possible, already provide a link to
the upstream change which would seem to be more suitable for modified
packages & derivatives.

The difficulty with both the debdiff and snapshots links is that many
CVEs are filed after the fix has been released & uploaded to unstable,
so the CVE will not be mentioned in the package changelog & the change
(in unstable) will typically be a large change like a new upstream
release, not a targetted fix specific to the CVE. The fixed version in
the CVE detail page for unstable then points at the first version in
unstable which contains the fix. This, in turn, is not necessarily the
same upstream release that fixed the CVE, it could easily be several
upstream releases later, depending on the activity of the Debian
maintainer & rate of upstream releases. A debdiff of that size is not
likely to be of any use.

Secondly, the fix for the CVE is often masked by later changes in the
same area of code. By the time the code is updated in Debian, the fixed
code may have been reworked several times. (Sometimes introducing and
then fixing new CVEs.)

Depending on the package, many modified packages and derivatives will
not make changes for every change in the archive, further complicating
the differences between versions.

So an element of human investigation is always going to be required
when applying a CVE fix in Debian to a modified package or derivative -
an automated link could end up being less helpful than the current
links.

In cases where the CVE is filed and set as unfixed in the tracker, a
Debian bug will generally be filed and that bug number is included in
the detail page for the CVE.

Where there has been no upstream release & the CVE is fixed by an
upload to unstable, common practice is to reference the CVE in the
patch name or description as well as in the changelog. The place to
determine that would appear to be within the PTS, not the security
tracker.

-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgpyt5iaoJcim.pgp
Description: OpenPGP digital signature

Reply to:

Prev by Date: Re: privoxy CVE-2021-4454[0123] update
Next by Date: Bug#1001451: security-tracker: create tool to ease processing of new uploads that fix CVEs
Previous by thread: Re: privoxy CVE-2021-4454[0123] update
Next by thread: Bug#1001451: security-tracker: create tool to ease processing of new uploads that fix CVEs
Index(es):
- Date
- Thread