Re: DSA 1184 corrections
On Thu, Oct 05, 2006 at 09:06:41AM +0200, Martin Schulze wrote:
> Jens Seidel wrote:
> > I applied the following patch to CVS and hope I did it right. But I have
> > one problem understanding the text:
> > Index: dsa-1184.wml
> > ===================================================================
> > RCS file: /cvs/webwml/webwml/english/security/2006/dsa-1184.wml,v
> > retrieving revision 1.5
> > retrieving revision 1.6
> > diff -u -r1.5 -r1.6
> > --- dsa-1184.wml 29 Sep 2006 19:01:15 -0000 1.5
> > +++ dsa-1184.wml 2 Oct 2006 17:35:13 -0000 1.6
> > @@ -1,6 +1,6 @@
> > <define-tag description>several vulnerabilities</define-tag>
> > <define-tag moreinfo>
> > -<p>This advisory covers the S/390 components of the recent security
> > +<p>This advisory covers the S/390 component of the recent security
> Umh... Now the advisory text is misleading on the web:
> More information:
> This advisory covers the S/390 component of the recent
> security update for the Linux 2.6.8 kernel that was missing
> due to technical problems. For reference, please see the
> text of the original advisory.
> This advisory DSA 1184 does not only cover the S/390 components but
> updates for all architectures. The update DSA 1184-2, linked at the
> bottom as revised advisory (strictly speaking, it's not a revised
> advisory but an addition, so maybe we need a new string and tag)
> covers only the S/390 components.
> Btw. since there are four binary packages for S/390, it's plural, hence,
OK, but shouldn't it be "that WERE missing" if you use plural or does
"was" refer to "the recent security update"?
Since I was not absolutely sure I sent this to debian-www.
> > @@ -67,7 +67,7 @@
> > <p>Diego Calleja Garcia discovered a buffer overflow in the DVD
> > handling code that could be exploited by a specially crafted DVD
> > - or USB storage device to execute arbitrary code.</p></li>
> > + USB storage device to execute arbitrary code.</p></li>
> It is DVD or USB storage as both can trigger the vulnerability.
I googled for this vulnerability before I changed anything. As far as I
understand the DVD driver/handling code is affected and this can only
be exploited using a DVD hardware device, e.g. a USB DVD device or even
an ATAPI drive.
Since ATAPI was not mentioned (it's probably easier to exploit this by using an
external device) I fixed the DSA.
Do you really think an external USB hard disk device could be used?
(BTW, what about DVD Firewire devices?)
> Please don't change the meaning of security updates without consultation
> of the security team. Typos and broken wordings and the like that
OK, I added it to CC: and will be more carefully in the future. (There where
no other changes to content from me, only typo fixes.)
> doesn't change the meaning, please correct on your own, it's already
> too bad that there are such bugs from time to time.
PS: Since I translated the last DSAs into German I noticed a few
inconsistencies probably related to the fact, that various people write
Both "The Common Vulnerabilities and Exposures"
»identifies the following problems:«
»identifies the following vulnerabilities:«
is currently used. Joey preferred always "vulnerabilities" so that I used this
blindly in my translations until I got corrected by Helge
It's not very important but I would like it to be consistent :-)