[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web Pages TODO List - Security

On Mon, Jul 21, 2003 at 11:15:14AM +0200, Gerfried Fuchs wrote:
> * doug jensen <djen@ispwest.com> [2003-07-20 18:53]:
> > So, I will make those corrections and send the patches back to the list
> > to be commited, or bug reports to www.debian.org, or ...?
> 
>  Send them to the list, IMHO no need to bloat the BTS with it. If noone
> reacts you can still send them to the BTS for them to be more visible.
> 
>  Uhm, on second thought, I guess Matt and/or Javier are doing a database
> of crossreferences to vulnerability databases, they might be interested
> in your changes in that part, too.
> 

An email sent to debian-security, asking for comments from Matt and/or
Javier, received no response.

So, I'm wondering if anyone wants to commit the following three patches?
Thanks for your consideration.


# Allows the "fixed in" data to be displayed (for Buzz/Rex).
# Affects several DSAs in the 1998, 1997, and undated directories.
# This template isn't being used for current DSAs, last used in 1998.
--- template/debian/fixes_link.wml.old   Fri Nov  1 06:16:30 2002
+++ template/debian/fixes_link.wml.new   Sat Jul 19 17:26:53 2003
@@ -16,6 +16,12 @@
 <define-tag notapplicable whitespace=delete>
   <gettext>N/A</gettext>
 </define-tag>
+<define-tag in1_1 whitespace=delete>
+  <gettext>in release 1.1</gettext>
+</define-tag>
+<define-tag in1_2 whitespace=delete>
+  <gettext>in release 1.2</gettext>
+</define-tag>
 <define-tag in1_3 whitespace=delete>
   <gettext>in release 1.3</gettext>
 </define-tag>
@@ -41,6 +47,14 @@
        if ( $release eq "not" )
        {
                $str = "<notneeded/>";
+       }
+       elsif ( $release eq "buzz" )
+       {
+               $str = "$arch - (<in1_1/>) $version";
+       }
+       elsif ( $release eq "rex" )
+       {
+               $str = "$arch - (<in1_2/>) $version";
        }
        elsif ( $release eq "bo" )
        {


## This change allows "Vulnerable" to be "Yes" and "Security database
## reference" to be displayed.
--- security/undated/1ssh.data.old   Thu Apr 19 09:52:11 2001
+++ security/undated/1ssh.data.new   Sat Jul 19 17:37:41 2003
@@ -1,7 +1,8 @@
 <define-tag pagetitle>ssh</define-tag>
 <define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1998-03</define-tag>
 <define-tag packages>ssh</define-tag>
-<define-tag isvulnerable>Yes</define-tag>
+<define-tag isvulnerable>yes</define-tag>
 <define-tag fixed>Yes</define-tag>

 #use wml::debian::security


 
# Changes to 1ssh.wml to add new data.
# Changed from what was in my original email (simplified).
# Note, there is nothing that absolutely insures that the new
# information is related to the original DSA.  However, the version
# number matches and it seems to be related.
--- undated/1ssh.wml.old        Sun Jul 22 07:46:50 2001
+++ undated/1ssh.wml.new        Wed Jul 30 15:53:08 2003
@@ -3,6 +3,13 @@
 ssh allowed non-privileged users to forward privileged ports.

 <p>Fixes: ssh 1.2.21-1 or later
+
+<p>Insufficent permission checking may allow a SSH client user, to access
+remote accounts belonging to the ssh-agent user.
+
+<p>SSH versions 1.2.17 thru 1.2.21 are vulnerable.  SSH versions prior to
+1.2.17 are vunerable to a different, though similar attack.
+
 </define-tag>

 # do not modify the following line


Doug Jensen
Reply to: