Re: not listing -2 DSA's in data/DSA/list

To: debian-security-tracker@lists.debian.org
Subject: Re: not listing -2 DSA's in data/DSA/list
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 18 May 2010 21:02:39 -0400
Message-id: <[🔎] 20100518210239.741f1cc5.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] dbbf50d0962383978b33a5cb734f9d57.squirrel@wm.kinkhorst.nl>
References: <E1OE9CO-0000pZ-7u@alioth.debian.org> <[🔎] dbbf50d0962383978b33a5cb734f9d57.squirrel@wm.kinkhorst.nl>

On Tue, 18 May 2010 08:36:37 +0200 Thijs Kinkhorst wrote:

> Hi all,
> 
> On Tue, May 18, 2010 00:54, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2010-05-17 22:54:10 +0000 (Mon, 17 May 2010)
> > New Revision: 14698
> >
> > Modified:
> >    data/CVE/list
> >    data/DSA/list
> > Log:
> > NFUs, new issues, and dsa-2038-2
> 
> > Modified: data/DSA/list
> > ===================================================================
> > --- data/DSA/list	2010-05-17 21:15:08 UTC (rev 14697)
> > +++ data/DSA/list	2010-05-17 22:54:10 UTC (rev 14698)
> > @@ -1,3 +1,6 @@
> > +[17 May 2010] DSA-2038-2 pidgin - regression fix
> > +	{CVE-2010-0420 CVE-2010-0423}
> > +	[lenny] - pidgin 2.4.3-4lenny7
> >  [17 May 2010] DSA-2047-1 aria2 - directory traversal
> >  	{CVE-2010-1512}
> >  	[lenny] - aria2 0.14.0-1+lenny2
> 
> It is by design that the automatic dsa2list-script skips updates to
> existing DSA's ("-2"'s).
> 
> The update DSA-2038-2 is a regression fix because functionality was broken
> by the DSA-2038-1 in a way that does not impact security. The majority of
> -2 releases are such fixes; only occasionally there's an incomplete fix
> and the -2 is necessary to remain secure.
> 
> It doesn't make sense to me to add such non-security regression fixes to
> the tracker, because this will make the tracker display that DSA-2038-2 /
> pidgin 2.4.3-4lenny7 is necessary to be not vulnerable against
> CVE-2010-0420 and CVE-2010-0423. This is not the case, as systems with
> 2.4.3-4lenny6 are secure, just have a non-security bug (which may not
> impact them at all).
> 
> I would therefore like to stress once more that we do not add -2 DSA's to
> the tracker unless they have an actual security impact, that is, they
> correct an incomplete fix for a vulnerability. Else we're communicating
> things about which version fixes a vulnerability that aren't accurate.

this is actually a tracker processing issue.  i just submitted a bug to
make sure we remember to fix it [1].  in the meantime, i think we
should continue to track all dsa's so that info isn't lost once we fix
the issue.

mike

[1] http://bugs.debian.org/582196

Reply to:

References:
- not listing -2 DSA's in data/DSA/list
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Bug#582196: "regression fix" dsa's should not alter previous fixed version info
Next by Date: Bug#582196: marked as done ("regression fix" dsa's should not alter previous fixed version info)
Previous by thread: not listing -2 DSA's in data/DSA/list
Next by thread: Bug#582196: "regression fix" dsa's should not alter previous fixed version info
Index(es):
- Date
- Thread