security tracker end-of-life patch
hi
right now, the security tracker shows CVEs marked as "end-of-life" as
"vulnerable", and in the open issue list. a good example is the redmine
package:
https://security-tracker.debian.org/tracker/source-package/redmine
CVE-2015-8477, CVE-2014-1985, CVE-2012-2054 and CVE-2012-0327 are all
affecting only wheezy and squeeze, so they shouldn't be marking redmine
as "insecure", as they affect only "unsupported" versions of the
package.
the attached patch, which I could commit but would prefer a review of,
should fix this:
Index: lib/python/security_db.py
===================================================================
--- lib/python/security_db.py (révision 38625)
+++ lib/python/security_db.py (copie de travail)
@@ -179,7 +179,7 @@
# Compute state. Update state-seen flags for global state
# determination.
if best_row.vulnerable:
- if best_row.urgency == 'unimportant':
+ if best_row.urgency == 'unimportant' or best_row.urgency == 'end-of-life':
state = 'unimportant'
unimportant_seen = True
else:
This marks "end-of-life" packages as "unimportant". an alternative would
be to mark them as fixed:
Index: lib/python/security_db.py
===================================================================
--- lib/python/security_db.py (révision 38625)
+++ lib/python/security_db.py (copie de travail)
@@ -178,7 +178,7 @@
# Compute state. Update state-seen flags for global state
# determination.
- if best_row.vulnerable:
+ if best_row.vulnerable and best_row.urgency != 'end-of-life':
if best_row.urgency == 'unimportant':
state = 'unimportant'
unimportant_seen = True
I tested the former locally, and looks okay, but i think the latter
makes more sense.
Let me know what you think is best.
Thanks!
a.
--
Seul a un caractère scientifique ce qui peut être réfuté. Ce qui n'est
pas réfutable relève de la magie ou de la mystique.
- Karl Popper
Reply to: