Bug#761859: security-tracker json deployed
On Mon, 16 Mar 2015, Raphael Hertzog wrote:
> On Mon, 09 Mar 2015, Holger Levsen wrote:
> > I have deployed this now. It might be that fixed_version=0 means "not
> > affected" but i'm not sure yet and my mind wants a break (for a moment)...
>
> Another nice thing to add in the generated file is whether the package is
> listed in dsa-needed.txt and dla-needed.txt.
>
> That would be two boolean fields at the source package level (default value
> of False if missing).
I'm currently trying to use the generated json but the data below the
releases field doesn't correspond to what we discussed. It contains
entries like wheezy-security or squeeze-security when it was supposed
to have only the underlying release names "squeeze" or "wheezy".
Example with CVE-2014-9663 in freetype if you need one:
{
"debianbug": 777656,
"description": "The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"issue": "CVE-2014-9663",
"releases": {
"jessie": {
"status": "resolved",
"urgency": "high**",
"version": "2.5.2-3"
},
"sid": {
"status": "resolved",
"urgency": "high**",
"version": "2.5.2-3"
},
"squeeze-security": {
"status": "open",
"urgency": "high**",
"version": "2.4.2-2.1+squeeze4"
},
"wheezy-security": {
"status": "resolved",
"urgency": "high**",
"version": "2.4.9-1.1+deb7u1"
}
},
"repositories": {
"jessie": "2.5.2-3",
"sid": "2.5.2-4",
"squeeze": "2.4.2-2.1+squeeze4",
"squeeze-security": "2.4.2-2.1+squeeze4",
"wheezy": "2.4.9-1.1",
"wheezy-security": "2.4.9-1.1+deb7u1"
},
"scope": "remote"
},
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: