Re: not listing -2 DSA's in data/DSA/list
On Tue, 18 May 2010 08:36:37 +0200 Thijs Kinkhorst wrote:
> Hi all,
>
> On Tue, May 18, 2010 00:54, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2010-05-17 22:54:10 +0000 (Mon, 17 May 2010)
> > New Revision: 14698
> >
> > Modified:
> > data/CVE/list
> > data/DSA/list
> > Log:
> > NFUs, new issues, and dsa-2038-2
>
> > Modified: data/DSA/list
> > ===================================================================
> > --- data/DSA/list 2010-05-17 21:15:08 UTC (rev 14697)
> > +++ data/DSA/list 2010-05-17 22:54:10 UTC (rev 14698)
> > @@ -1,3 +1,6 @@
> > +[17 May 2010] DSA-2038-2 pidgin - regression fix
> > + {CVE-2010-0420 CVE-2010-0423}
> > + [lenny] - pidgin 2.4.3-4lenny7
> > [17 May 2010] DSA-2047-1 aria2 - directory traversal
> > {CVE-2010-1512}
> > [lenny] - aria2 0.14.0-1+lenny2
>
> It is by design that the automatic dsa2list-script skips updates to
> existing DSA's ("-2"'s).
>
> The update DSA-2038-2 is a regression fix because functionality was broken
> by the DSA-2038-1 in a way that does not impact security. The majority of
> -2 releases are such fixes; only occasionally there's an incomplete fix
> and the -2 is necessary to remain secure.
>
> It doesn't make sense to me to add such non-security regression fixes to
> the tracker, because this will make the tracker display that DSA-2038-2 /
> pidgin 2.4.3-4lenny7 is necessary to be not vulnerable against
> CVE-2010-0420 and CVE-2010-0423. This is not the case, as systems with
> 2.4.3-4lenny6 are secure, just have a non-security bug (which may not
> impact them at all).
>
> I would therefore like to stress once more that we do not add -2 DSA's to
> the tracker unless they have an actual security impact, that is, they
> correct an incomplete fix for a vulnerability. Else we're communicating
> things about which version fixes a vulnerability that aren't accurate.
this is actually a tracker processing issue. i just submitted a bug to
make sure we remember to fix it [1]. in the meantime, i think we
should continue to track all dsa's so that info isn't lost once we fix
the issue.
mike
[1] http://bugs.debian.org/582196
Reply to: