[Secure-testing-commits] r11636 - data/CVE

Kees Cook kees at ubuntu.com
Fri Apr 17 15:50:41 UTC 2009 

Hi,

On Fri, Apr 17, 2009 at 10:57:38AM -0400, Michael S. Gilbert wrote:
> On Fri, 17 Apr 2009 11:30:19 +0200, Nico Golde wrote:
> > * Kees Cook <kees at alioth.debian.org> [2009-04-17 09:59]:
> > > Author: kees
> > > Date: 2009-04-17 01:25:52 +0000 (Fri, 17 Apr 2009)
> > > New Revision: 11636
> > > 
> > > Modified:
> > >    data/CVE/list
> > > Log:
> > > Sync from Ubuntu CVE tracker...
> > > unfixed: archivemail azureus clamav evolution-data-server ghostscript graphicsmagick iceape iceweasel jbossas4 libapache2-mod-perl2 libstruts1.2-java linux-2.6 ntp openjdk-6 python2.4 python2.5 sun-java5 sun-java6 tomcat5.5 torrentflux typo3-src wireshark xulrunner
> > > fixed: lighttpd tunapie
> > 
> > Could you please switch that off again? Without prior 
> > discussion I think such bots are not acceptable. I also 
> > don't think that we want automatic fixed entries, this is 
> > way to error prone. Also from what I experienced so far just 
> > adding <unfixed> entries doesn't help that much, usually it 
> > takes very long until someone picks that up and files a bug.
> > 
> > I want at least a further discussion of this until you 
> > switch this on again. It's not that we were too lazy or to 
> > unskilled so far to play with soap and mark fixed bugs 
> > automatically in the tracker but as far as I can tell this 
> > wasn't done on purpose.
> 
> if they submitted (semi-automated) bug reports for all of the unfixed
> issues that they sync up, would that be sufficient to address your
> concerns?
> 
> i agree that auto-marking fixed issues is quite dangerous and should
> not be done.

Sorry for not being clear on this; the commit isn't automatic.  The tool on
our side just adds <unfixed> entries, and then we go through and clean up
stuff that has been obviously fixed (i.e. entries that have a DSA attached
to it, etc).

Since we're highly time-limited, we can't always go hunting through
Debian changelogs or the BTS to see if a specific CVE is actually fixed.  I
had made the assumption that marking a "TODO: check" CVE with a package and
"<unfixed>" was more information than leaving it "TODO: check".  If this is
not the case, I'm happy to just disable that part again.  I was just trying
to find a way to sync information from our tracker into Debian's where
Debian had no information listed.

We could file bugs, but then, I imagine people would be upset about
duplicates.  I figured that a CVE that says "TODO: check" says absolutely
nothing, and requires a triager to do a full analysis, where-as a CVE that
has a package listed, marked "unfixed" means a triager would have to only
examine that single package.

As always, I'm open to any suggestions.  I can take the package-adder out
very easily and just go back to the old NFU-only merger.

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the Secure-testing-commits mailing list