[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA 1184 corrections

Hi Joey,

On Thu, Oct 05, 2006 at 09:06:41AM +0200, Martin Schulze wrote:
> Jens Seidel wrote:
> > I applied the following patch to CVS and hope I did it right. But I have
> > one problem understanding the text:
> > 
> > Index: dsa-1184.wml
> > ===================================================================
> > RCS file: /cvs/webwml/webwml/english/security/2006/dsa-1184.wml,v
> > retrieving revision 1.5
> > retrieving revision 1.6
> > diff -u -r1.5 -r1.6
> > --- dsa-1184.wml	29 Sep 2006 19:01:15 -0000	1.5
> > +++ dsa-1184.wml	2 Oct 2006 17:35:13 -0000	1.6
> > @@ -1,6 +1,6 @@
> >  <define-tag description>several vulnerabilities</define-tag>
> >  <define-tag moreinfo>
> > -<p>This advisory covers the S/390 components of the recent security
> > +<p>This advisory covers the S/390 component of the recent security

> Umh...  Now the advisory text is misleading on the web:
>    More information:
>           This advisory covers the S/390 component of the recent
>           security update for the Linux 2.6.8 kernel that was missing
>           due to technical problems. For reference, please see the
>           text of the original advisory.
> This advisory DSA 1184 does not only cover the S/390 components but
> updates for all architectures.  The update DSA 1184-2, linked at the
> bottom as revised advisory (strictly speaking, it's not a revised
> advisory but an addition, so maybe we need a new string and tag)
> covers only the S/390 components.
> Btw. since there are four binary packages for S/390, it's plural, hence,
> components.

OK, but shouldn't it be "that WERE missing" if you use plural or does
"was" refer to "the recent security update"?

Since I was not absolutely sure I sent this to debian-www.
> > @@ -67,7 +67,7 @@
> >  
> >      <p>Diego Calleja Garcia discovered a buffer overflow in the DVD
> >      handling code that could be exploited by a specially crafted DVD
> > -    or USB storage device to execute arbitrary code.</p></li>
> > +    USB storage device to execute arbitrary code.</p></li>
> It is DVD or USB storage as both can trigger the vulnerability. 


I googled for this vulnerability before I changed anything. As far as I
understand the DVD driver/handling code is affected and this can only
be exploited using a DVD hardware device, e.g. a USB DVD device or even
an ATAPI drive.

Since ATAPI was not mentioned (it's probably easier to exploit this by using an
external device) I fixed the DSA.

Do you really think an external USB hard disk device could be used? 
(BTW, what about DVD Firewire devices?)
> Please don't change the meaning of security updates without consultation
> of the security team.  Typos and broken wordings and the like that

OK, I added it to CC: and will be more carefully in the future. (There where
no other changes to content from me, only typo fixes.)

> doesn't change the meaning, please correct on your own, it's already
> too bad that there are such bugs from time to time.

PS: Since I translated the last DSAs into German I noticed a few
inconsistencies probably related to the fact, that various people write
now DSAs.

Both "The Common Vulnerabilities and Exposures"
»identifies the following problems:«
»identifies the following vulnerabilities:«
is currently used. Joey preferred always "vulnerabilities" so that I used this
blindly in my translations until I got corrected by Helge

It's not very important but I would like it to be consistent :-)


Reply to: