Proposed changes to old DSA web pages

To: debian-security@lists.debian.org
Subject: Proposed changes to old DSA web pages
From: doug jensen <djen@ispwest.com>
Date: Tue, 22 Jul 2003 22:59:13 -0600
Message-id: <[🔎] 20030723045913.GA652@ispwest.com>
Mail-followup-to: debian-security@lists.debian.org

This post is mainly addressed to Matt and/or Javier, but all should
feel free to comment, if they choose to.

On the Debian Web Pages TODO List, there is a security section
that requests additional information for older advisories.  Some
of the oldest are on a page labeled 'undated'.  I have collected
references that could be used to update those advisories.

Sample patches for one of the advisories were sent to the debian-www
list, along with some questions.  The responses were very helpful,
including the one below:

# Excerpt from email exchanged on debian-www:
On Mon, Jul 21, 2003 at 11:15:14AM +0200, Gerfried Fuchs wrote:
>
>  About your initial question if the security team should be informed
>  of
> the changes, I guess Josip misunderstood it (or I do ,).  You don't
> need
> to inform the security team about changes that doesn't change the core
> text of the advisory.  If it's about changes to the infrastructure of
> the files (like, links back to the archive or cross references) you
> don't need to inform them. If you on the other hand like to change
> texting which might change the meaning of the text it would rather be
> a
> good idea to ask them.
>
>  Uhm, on second thought, I guess Matt and/or Javier are doing a
>  database
> of crossreferences to vulnerability databases, they might be
> interested
> in your changes in that part, too.
>

Matt and/or Javier do you have any comments or suggestions?  Do you want
to be notified and/or approve the changes?  If yes, where would you like
the notification sent?

# Below is text of a proposed ssh page.
## Note, there is nothing that absolutely insures that the new
## information is related to the original DSA.
# cc = Is in original wml file, but not displayed on the web page.
# ++ = proposed new data.
# The 'cc' and '++' won't be in the final version.

  Date Reported:
      undated
  Affected Packages:
      ssh
  Vulnerable:
cc      Yes
  Security database references:
++      CERT's vulnerabilities, advisories and incident notes:
  CA-1998-03.
  More information:
       ssh allowed non-privileged users to forward privileged ports.
       Fixes: ssh 1.2.21-1 or later
++     The information below was added in July 2003:
++        * Insufficient permission checking may allow a SSH client user, to
++          access remote accounts belonging to the ssh-agent user.
++        * SSH versions 1.2.17 thru 1.2.21 are vulnerable. SSH versions prior
++          to 1.2.17 are vulnerable to a different, though similar attack.
  Fixed in:
cc      Intel - (in release 1.1) 1.2.21-1
#End of sample.

The similarities between old and new information in this case are:
  -  Version numbers correspond.
  -  The date of CA-1998-03 is in the correct time frame.
  -  CA-1998-03 contains text that is similar to the original DSA.

Changes are welcome.  For example :), the ...July 2003 line was intended
to preserve the integrity of the original DSA, but it isn't because the
changes appear in different sections.  I intend to remove that line.

Doug Jensen

Reply to:

Prev by Date: recent kernel advisories
Next by Date: Mergelist problem with security.debian.org_dists_woody_updates_main_binary-i386_Packages
Previous by thread: recent kernel advisories
Next by thread: Mergelist problem with security.debian.org_dists_woody_updates_main_binary-i386_Packages
Index(es):
- Date
- Thread