Re: Web Pages TODO List - Security

To: debian-www@lists.debian.org
Subject: Re: Web Pages TODO List - Security
From: Josip Rodin <joy@srce.hr>
Date: Sun, 20 Jul 2003 23:43:49 +0200
Message-id: <[🔎] 20030720214349.GD23102@prvidomaci.srce.hr>
In-reply-to: <[🔎] 20030720201619.GA28977@ispwest.com>
References: <[🔎] 20030720201619.GA28977@ispwest.com>

On Sun, Jul 20, 2003 at 02:16:19PM -0600, doug jensen wrote:
>   Find the "moreinfo" entries for older years that contain mentions
>   of lists-archives instead of including text from it or even linking
>   to it, and correct it.
> 
>   There are many advisories in 1997 and early 1998 that lack even the
>   basic extra information -- find it and document it. Somehow. :)
> 
> 1)  Should the Security team be notified of changes to the DSAs?

If you're uncertain about anything, they'd likely be the most likely group
where there would be someone who remembers.

> 2)  It seems difficult, sometimes, to be positive that the "new"
>     information is exactly what the original DSA was issued for.
>     My method so far has been:
>        a)  Google, using; <keywords from the DSA> [1997 1998].
>        b)  Scan various security archives.
>        c)  Occasionally look in changelogs (generally didn't help).
>        d)  Pick what seems to be the most appropriate information.
>     Comments, suggestions?

What about the debian-security-announce list archive?

Those things were the bulk of my complain which I noted in the TODO file.
There are advisory web pages that have links into the list archive rather
than having the content in them. That's reasonably easy to fix but it needs
man hours.

> 3)  Below are three test patches.  Comments, suggestions?

>  <p>Fixes: ssh 1.2.21-1 or later
> +
> +<p>The information below was added in July 2003.  Please report
> +additions or corrections to debian-www@lists.debian.org:
> +<li>Insufficent permission checking may allow a SSH client user, to access
> +remote accounts belonging to the ssh-agent user.
> +<li>SSH versions 1.2.17 thru 1.2.21 are vulnerable.  SSH versions prior to
> +1.2.17 are vunerable to a different, though similar attack.
> +<li>Reference to CA-1998-03 was added.
> +<li>Changed "Vunerable" to show "Yes".
> +<li>Data is now displayed for "Fixed in".
> +
>  </define-tag>

Looks okay... but I'd move the note about potential problems below the list,
and remove the last three items -- visitors don't really care much about our
administrivia. Note also that if <ul> tags need to surround the <li>s.

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: Web Pages TODO List - Security
  - From: doug jensen <djen@ispwest.com>

References:
- Web Pages TODO List - Security
  - From: doug jensen <djen@ispwest.com>

Prev by Date: Processed: Done II
Next by Date: Re: Web Pages TODO List - Security
Previous by thread: Web Pages TODO List - Security
Next by thread: Re: Web Pages TODO List - Security
Index(es):
- Date
- Thread