On Sun, 16 Mar 2014 11:57:49 +0800 Paul Wise <pabs@debian.org> wrote: > Package: security-tracker > Severity: wishlist > > It would be useful to people using modified versions of packages if > the security tracker listed releases and versions where fixes > happened in the list of resolved issues. Combined with a fix for > #611162 and or a link to a debdiff or the fixed version from > snapshot.d.o this could be very useful for people wanting to apply > fixes to internally modified packages and to the security teams of > Debian derivatives. > > https://security-tracker.debian.org/tracker/source-package/samba The detail page for each CVE lists the release and version information and has a link to the PTS to get more information on the changes in the version. (This also provides the link to the changelog for #611162). e.g. https://security-tracker.debian.org/tracker/CVE-2021-23192 The notes for a CVE will, wherever possible, already provide a link to the upstream change which would seem to be more suitable for modified packages & derivatives. The difficulty with both the debdiff and snapshots links is that many CVEs are filed after the fix has been released & uploaded to unstable, so the CVE will not be mentioned in the package changelog & the change (in unstable) will typically be a large change like a new upstream release, not a targetted fix specific to the CVE. The fixed version in the CVE detail page for unstable then points at the first version in unstable which contains the fix. This, in turn, is not necessarily the same upstream release that fixed the CVE, it could easily be several upstream releases later, depending on the activity of the Debian maintainer & rate of upstream releases. A debdiff of that size is not likely to be of any use. Secondly, the fix for the CVE is often masked by later changes in the same area of code. By the time the code is updated in Debian, the fixed code may have been reworked several times. (Sometimes introducing and then fixing new CVEs.) Depending on the package, many modified packages and derivatives will not make changes for every change in the archive, further complicating the differences between versions. So an element of human investigation is always going to be required when applying a CVE fix in Debian to a modified package or derivative - an automated link could end up being less helpful than the current links. In cases where the CVE is filed and set as unfixed in the tracker, a Debian bug will generally be filed and that bug number is included in the detail page for the CVE. Where there has been no upstream release & the CVE is fixed by an upload to unstable, common practice is to reference the CVE in the patch name or description as well as in the changelog. The place to determine that would appear to be within the PTS, not the security tracker. -- Neil Williams ============= https://linux.codehelp.co.uk/
Attachment:
pgpyt5iaoJcim.pgp
Description: OpenPGP digital signature