Your message dated Thu, 3 Feb 2022 11:07:06 +0000 with message-id <20220203110706.1404efb1@felix.codehelp> and subject line Merged has caused the Debian Bug report #1001451, regarding security-tracker: create tool to ease processing of new uploads that fix CVEs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1001451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001451 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: security-tracker: create tool to ease processing of new uploads that fix CVEs
- From: Neil Williams <codehelp@debian.org>
- Date: Fri, 10 Dec 2021 10:41:01 +0000
- Message-id: <163913286148.129423.13368997047364584570.reportbug@felix.codehelp>
Package: security-tracker Severity: wishlist X-Debbugs-Cc: codehelp@debian.org This is one of a few bugs arising from discussions with Salvatore & Moritz whilst triaging CVEs. When an upload is made to unstable or experimental, triage of debian-devel-changes will list any CVEs fixed. It would be useful to have a simple tool (bin/grab-cve-in-fix <package_name>) which: - queries the latest version of source:<package_name> in unstable - extracts all mentioned CVE IDs from the change - creates a correctly formatted CVE snippet with the recorded fixes that can be reviewed and merged into the main data/CVE/list All changes would need manual review. The email from debian-devel-changes could provide enough information. Alternatively, tracker.d.o or apt-cache could be used (e.g. relying on the `make update-packages` support already available in the security tracker code). 1: Provide an option to parse the email from debian-devel-changes 2: Provide an option to lookup the information using tracker.d.o 3: Fallback to lookup the information in the local apt-cache data populated by 'make update-packages' Output a file which can be used with bin/merge-cve-files once the changes have been reviewed. Additionally, implement support for a similar process to update all CVEs whenever a package moves out of NEW and into the archive.
--- End Message ---
--- Begin Message ---
- To: 1001451-done@bugs.debian.org, 1001453-done@bugs.debian.org
- Subject: Merged
- From: Neil Williams <codehelp@debian.org>
- Date: Thu, 3 Feb 2022 11:07:06 +0000
- Message-id: <20220203110706.1404efb1@felix.codehelp>
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38fc7543c6e8fc4a2d15540fd63b837218361e8f Incremental work will continue from here for feature requests and to run tests on the bin/ and lib/ scripts (on branches or possibly on schedules). -- Neil Williams ============= https://linux.codehelp.co.uk/Attachment: pgp6ZVB4w0ylC.pgp
Description: OpenPGP digital signature
--- End Message ---