Improving information available in the DSAs

To: debian-www@lists.debian.org
Subject: Improving information available in the DSAs
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Wed, 26 Dec 2001 13:05:25 +0100
Message-id: <20011226120525.GD31316@dat.etsit.upm.es>

I talked with Wichert and Josip about this and, after finishing it, I would like the
web team to approve these changes. The main idea is that currently the Security Team
does not add information that correlates the Debian Security Advisories (DSA) with
other databases (bugtraq or CVE), however, these sometimes do point to the DSAs.
Linking to Bugtraq is nice beacuse it provides more information for admins that want
more in-depth informtion.

It also allows a path of verification of vulnerabilities since many vulnerability
assesment scanners use CVE. An admin could, for example:

- run Nessus against a Debian system
- check the CVE/Bugtraq info regarding vulnerabilities
- check installed update/patches from DSAs and see how many of the previous are false
positives.
- check the web site and see which DSAs fix which problems.

These idea comes from a previous post to debian-security in which I correlated DSAs and
Bugtraq in order to do some security-fix analysis. So, I have some data I could add to
these year's DSA for completeness (so the Security Team does not have to do so
themselves).

Adjointed is a patch to english/template/debian/security.wml. With this patch .data
files from DSA can add <secids> tags referencing to Bugtraq and CVE and this
information will be included in the web page.

I adjoint:

1.- the patch (speaks for himself)

2.- a patch for dsa-011 to see how these information will be included

3.- dsa-011 compiled with the new patch to see how the information will be presented.

	If everyone think this is fine I will commit this to CVS in a week. Comments?

	Merry Christmas

	Javi

PS: The patch could be improved so that it only printed the "More information" if the
references are included (currently it will print it in any case, but my knowledge of
WML stops here :(

Index: security.wml
===================================================================
RCS file: /cvs/webwml/webwml/english/template/debian/security.wml,v
retrieving revision 1.88
diff -u -r1.88 security.wml
--- security.wml	2001/09/22 20:27:45	1.88
+++ security.wml	2001/12/26 11:53:52
@@ -232,6 +232,46 @@
 	<ifeq "<isvulnerable>" "no" "<FONT COLOR=00FF00><no></FONT>">
 </define-tag>
 
+<define-tag bugtraq whitespace=delete>
+	[EN:In the Bugtraq database (at SecurityFocus)::]
+	[ES:En la base de datos de Bugtraq (en SecurityFocus)::]
+</define-tag>
+<define-tag cve whitespace=delete>
+	[EN:In Mitre's CVE dictionary::]
+	[ES:En el diccionario CVE de Mitre::]
+</define-tag>
+
+<perl>
+sub security_references {
+ 	my $refstr = shift(@_);
+	my $str = "";
+	my $bid = "";
+	my $cve = "";
+	foreach $ref (split(' ',$refstr)) { 
+		if ( $ref =~ /BID(\d+)/i ) {
+		$bid .= ", " if $bid ne "";
+		$bid .= "<a href=\"http://www.securityfocus.com/cgi-bin/vulns-item.pl?id=".$1."\";>BID".$1."</A>"; 
+		}
+		if ( $ref =~ /CVE(\d+)/i ) {
+		$cve .= ", " if $cve ne "";
+		$cve .="<a href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=".$1."\";>CVE".$1."</A>";
+		}
+
+	}
+	$str .="<bugtraq> $bid"  if $bid ne "";
+	$str .="<cve> $cve"  if $cve ne "";
+
+	$str .= ". " if $str ne "";
+	return $str;
+}
+</perl>
+<define-tag secdbinfo>
+  [EN:Security Database references:]
+</define-tag>
+<define-tag secreferences>
+  <:= security_references("<secids>") :>
+</define-tag secreferences>
+
 <define-tag fileurl whitespace=delete>
 <A href="%0">%0</A><BR>
 </define-tag>
@@ -248,6 +288,7 @@
 <DT><datereported>: <DD><:= newsdate('<report_date>') :></DD>
 <DT><affectedpackages>: <DD><packages></DD>
 <DT><vulnerable>: <DD><vulnerability></DD>
+<DT><secdbinfo>:</DT><DD><secreferences></DD>
 <DT><formoreinfo>: <DD><moreinfo></DD>
 #<ifneq "{#securitybody#}" "" "
 <DT><fixedin>: <DD>{#securitybody#}</DD>

Index: dsa-011.data
===================================================================
RCS file: /cvs/webwml/webwml/english/security/2001/dsa-011.data,v
retrieving revision 1.2
diff -r1.2 dsa-011.data
5a6
> <define-tag secids>BID2187</define-tag>

Title: Debian GNU/Linux -- Security Information -- DSA-011-2 mgetty

Select a server near you:
Australia Austria Brazil Bulgaria China Denmark France Germany Hong Kong Indonesia Italy Japan Korea Netherlands Poland Russia South Africa Spain Turkey United Kingdom www.debian.org

DSA-011-2 mgetty: insecure tempfile handling

Date Reported:: 10 Jan 2001
Affected Packages:: mgetty
Vulnerable:: Yes
Security Database references :: In the Bugtraq database (at SecurityFocus): BID2187.
More information:: Immunix reports that mgetty does not create temporary files in a secure manner, which could lead to a symlink attack. This has been corrected in mgetty 1.1.21-3potato1
We recommend you upgrade your mgetty package immediately.
Fixed in:: Debian 2.2 (potato)

Source:

http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21-3potato1.diff.gz
http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21-3potato1.dsc
http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21.orig.tar.gz

Architecture-independent component:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/mgetty-docs_1.1.21-3potato1_all.deb

alpha:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-fax_1.1.21-3potato1_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-viewfax_1.1.21-3potato1_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-voice_1.1.21-3potato1_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty_1.1.21-3potato1_alpha.deb

arm:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-fax_1.1.21-3potato1_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-viewfax_1.1.21-3potato1_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-voice_1.1.21-3potato1_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty_1.1.21-3potato1_arm.deb

i386:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-fax_1.1.21-3potato1_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-viewfax_1.1.21-3potato1_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-voice_1.1.21-3potato1_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty_1.1.21-3potato1_i386.deb

m68k:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/mgetty-fax_1.1.21-3potato1_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/mgetty-viewfax_1.1.21-3potato1_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/mgetty-voice_1.1.21-3potato1_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/mgetty_1.1.21-3potato1_m68k.deb

powerpc:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/mgetty-fax_1.1.21-3potato1_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/mgetty-viewfax_1.1.21-3potato1_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/mgetty-voice_1.1.21-3potato1_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/mgetty_1.1.21-3potato1_powerpc.deb

sparc:

http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-fax_1.1.21-3potato1_sparc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-viewfax_1.1.21-3potato1_sparc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-voice_1.1.21-3potato1_sparc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty_1.1.21-3potato1_sparc.deb

See the Debian contact page for information on contacting us.

Reply to:

Follow-Ups:
- Re: Improving information available in the DSAs
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Debian WWW CVS commit by danish: webwml/english/events material.wml
Next by Date: Re: Debian WWW CVS commit by danish: webwml/english/events material.wml
Previous by thread: Re: Debian WWW CVS commit by toff: webwml/english/devel index.wml
Next by thread: Re: Improving information available in the DSAs
Index(es):
- Date
- Thread

Improving information available in the DSAs

Debian 2.2 (potato)

Source:

Architecture-independent component:

alpha:

arm:

i386:

m68k:

powerpc:

sparc: