On Wed, 22 Sep 2021 15:34:32 -0400 "Roberto C. Sanchez" <roberto@debian.org> wrote:
> Package: security-tracker
> Severity: normal
>
>
> It appears that when parsing data/CVE/list and a URL is encountered,
> that extraneous characters can end up included in the link, which
> can result in the actual link not reflecting the intended link. For
> example, https://security-tracker.debian.org/tracker/CVE-2020-13230
> links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch
> but incorrectly includes the closing parenthsis that denotes the end of
> the note text as part of the link.
This looks like it actually needs an improvement to the syntax of that CVE.
The URL would typically be part of a NOTE: line, not part of the comment.
e.g. current:
CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...)
- cacti 1.2.11+ds1-1
[buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue, Partial patch https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch)
NOTE: https://github.com/Cacti/cacti/issues/3343
Proposed:
CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...)
- cacti 1.2.11+ds1-1
[buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue, Partial patch)
NOTE: https://github.com/Cacti/cacti/issues/3343
NOTE: https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch
Other CVEs with URLs in the comment include:
CVE-2017-0381
CVE-2018-16869
CVE-2021-32686
CVE-2020-28491
CVE-2008-5161
All other CVEs that reference a URL do so via a NOTE: entry.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
Attachment:
pgpICK6mxWsVx.pgp
Description: OpenPGP digital signature