[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advisory description text



On Mon, Jan 07, 2008 at 10:20:40PM +0100, Christoph Ulrich Scholler wrote:
> Hi,
> 
> On 07.01. 13:54, Adam Majer wrote:
> > Moritz Muehlenhoff wrote:
> > > CVE-2007-3382
> > > 
> > >     It was discovered that single quotes (') in cookies were treated
> > >     as a delimiter, which could lead to an information leak.
> > > 
> > > CVE-2007-3385
> > > 
> > >     It was discovered that the character sequence \" in cookies was
> > >     handled incorrectly, which could lead to an information leak.
> > > 
> > > CVE-2007-5461
> > > 
> > >     It was discovered that the WebDAV servlet is vulnerable to absolute
> > >     path traversal.
> > > 
> > 
> > First of all, this is not targeted at this specific advisory or any
> > person writing this advisory. :)
> > 
> > Generally, the first little bits of each and every CVE description
> > above, as well as in other advisories sent out by Debian, is not needed.
> > Please, remove the "It was discovered that" part from any templates that
> > you may be using. That part is not needed. It is also implied and
> > doesn't add anything to the advisory.
> 
> I respectfully disagree.  A short summary of what a CVE is about is very
> useful for everyone not intimately familiar with all CVEs.  Remember
> that Debian is not only used by seasoned professionals who know all
> pertinent security advisory distribution channels by heart.  A little
> "redundancy" is a good thing when humans are involved.
 
I think that the OP wanted things to read:
| CVE-2007-3382
| 
|     Single quotes (') in cookies were treated as a delimiter, which
|     could lead to an information leak.

Rather than remove the whole description.
-- 
Rob
  I know you think you thought you knew what you thought I said,
  but I'm not sure you understood what you thought I meant.

Attachment: signature.asc
Description: Digital signature


Reply to: