Re: Advisory description text

To: debian-security@lists.debian.org
Subject: Re: Advisory description text
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 8 Jan 2008 19:35:17 +0100
Message-id: <[🔎] slrnfo7gj5.3nb.jmm@inutil.org>
References: <20080107184120.GA3406@galadriel.inutil.org> <[🔎] 4782838E.5080101@galacticasoftware.com>

Adam Majer wrote:

> Moritz Muehlenhoff wrote:
>> CVE-2007-3382
>> 
>>     It was discovered that single quotes (') in cookies were treated
>>     as a delimiter, which could lead to an information leak.
>> 
>> CVE-2007-3385
>> 
>>     It was discovered that the character sequence \" in cookies was
>>     handled incorrectly, which could lead to an information leak.
>> 
>> CVE-2007-5461
>> 
>>     It was discovered that the WebDAV servlet is vulnerable to absolute
>>     path traversal.
>> 
>
> First of all, this is not targeted at this specific advisory or any
> person writing this advisory. :)
>
> Generally, the first little bits of each and every CVE description
> above, as well as in other advisories sent out by Debian, is not needed.
> Please, remove the "It was discovered that" part from any templates that
> you may be using. That part is not needed. It is also implied and
> doesn't add anything to the advisory.

This is for consistency. Normally, we credit the person, who discovered
the issues, like:

CVE-2008-0100

       Adam Majer discovered a stylistic error in advisory texts, which
       may lead to local admin boredom, resulting in denial of service.

Only if the researcher is unknown it's simply replaced by "It was
discovered".

Cheers,
        Moritz

Reply to:

References:
- Advisory description text
  - From: Adam Majer <adamm@galacticasoftware.com>

Prev by Date: Re: www.juniorguide.com
Next by Date: Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
Previous by thread: Re: Advisory description text
Next by thread: Alborques Online Gallery
Index(es):
- Date
- Thread