[Git][security-tracker-team/security-tracker][master] Revert "Claim xrdp"
Dominik George (@natureshadow)
natureshadow at debian.org
Mon Mar 27 12:00:18 BST 2023
Dominik George pushed to branch master at Debian Security Tracker / security-tracker
Commits:
49375e47 by Dominik George at 2023-03-27T12:59:45+02:00
Revert "Claim xrdp"
This reverts commit 7816c862df2fc979aebce9f072e3cbf3d84c253c.
- - - - -
9 changed files:
- − bin/gen-DLA
- + bin/gen-DLA
- − bin/rejected-with-info
- + bin/rejected-with-info
- data/dla-needed.txt
- − doc/soriano.txt
- + doc/soriano.txt
- − packages/openjdk-7.txt
- + packages/openjdk-7.txt
Changes:
=====================================
bin/gen-DLA deleted
=====================================
@@ -1,441 +0,0 @@
-#!/bin/sh
-
-####################
-# Copyright (C) 2011, 2012, 2013, 2014 by Raphael Geissert <geissert at debian.org>
-#
-#
-# This file is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This file is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this file. If not, see <https://www.gnu.org/licenses/>.
-####################
-
-set -e
-
-IDMODE=DSA
-case "$(basename "$0")" in
- *gen-*)
- IDMODE=${0#*gen-}
- ;;
-esac
-
-if ! command -v jq >/dev/null ; then
- echo "error: jq is needed to parse distributions, please install it"
- exit 1
-fi
-
-RELEASES=`jq -r '.distributions | to_entries[] | select(.value.release) | .value.release | ascii_upcase' data/config.json`
-CODENAMES=`jq -r '.distributions | to_entries[] | select(.value.release) | .key' data/config.json`
-
-while read dist; do
- read codename
- eval $dist=$codename
-done << EOF
-`jq -r '.distributions | to_entries[] | select(.value.release) | (.value.release | ascii_upcase), .key' data/config.json`
-EOF
-
-NAME_SPACING=24
-DATE_SPACING=22
-
-export LC_ALL=C
-
-[ -f doc/$IDMODE.template ] || {
- echo "error: call this script from the root of the repository" >&2
- exit 1
-}
-
-[ $# -ge 1 ] || {
- echo "usage: $0 [--save] [--embargoed|--unembargo] [$IDMODE] package[.changes] [regression] [cve(s) [bugnumber(s)]] "
- echo " '$IDMODE' is the $IDMODE number, required when issuing a revision"
- echo " 'cve(s)' and 'bugnumber(s)' can be passed in any order but"
- echo " always AFTER the description"
- echo ""
- echo " When specifying package.changes the package name, version, additional bug(s) and cve(s)"
- echo " are parsed from the .changes file."
- echo ""
- echo " If it doesn't like your bug number, prefix it with # and report"
- exit 1
-} >&2
-
-save=false
-if [ "$1" = "--save" ]; then
- save=true
- shift
-fi
-
-embargoed=false
-if [ "$1" = "--embargoed" ]; then
- embargoed=true
- shift
-fi
-
-unembargo=false
-if [ "$1" = "--unembargo" ]; then
- unembargo=true
- shift
- set -- "$1"
-fi
-
-toupper() {
- printf '%s' "$1" | tr '[:lower:]' '[:upper:]'
-}
-
-tolower() {
- printf '%s' "$1" | tr '[:upper:]' '[:lower:]'
-}
-
-split_n_sort() {
- printf '%s' "$1" | sed -r 's/[ ,;]+/ /g;s/^ //' | tr ' ' "\n" | sort -u |
- sort ${2:--n} | tr "\n" ' ' | sed -r 's/\s+/ /g;s/\s$//'
-}
-
-_d_space() {
- local direction="$1" text="$2" to_length="$3"
- local right='' left='' output='' spacing=0
-
- if [ "$direction" = 'right' ]; then
- right=' '
- elif [ "$direction" = 'left' ]; then
- left=' '
- else
- echo FIXME >&2
- exit 1
- fi
-
- spacing=$(($to_length-${#text}))
- output="$text"
- while [ $spacing -gt 0 ]; do
- output="${left}${output}${right}"
- spacing=$((spacing-1))
- done
- printf '%s' "$output"
-}
-
-left_space() {
- _d_space left "$@"
-}
-
-right_space() {
- _d_space right "$@"
-}
-
-warn() {
- printf "${YELLOW}warning:${NORMAL} %s\n" "$1"
-}
-
-notice() {
- printf "${MAGENTA}notice:${NORMAL} %s\n" "$1"
-}
-
-error() {
- printf "${RED}error:${NORMAL} %s\n" "$1"
-}
-
-setvar() {
- local var="$1" value="$2"
-
- if [ -z "$value" ]; then
- value="$(eval 'printf "%s" "$'"$var"'"')"
- fi
-
- sed -i "s=\$$var=$value=g" "$tmpf"
-}
-
-if command -v tput >/dev/null; then
- RED=$(tput setaf 1)
- YELLOW=$(tput setaf 3)
- MAGENTA=$(tput setaf 5)
- NORMAL=$(tput op)
-else
- RED=''
- YELLOW=''
- MAGENTA=''
- NORMAL=''
-fi
-
-DAID=
-if printf '%s' "$1" | grep -Eq '^('"$IDMODE"'-|)[0-9]+(-[0-9]+|)$'; then
- DAID="${1#$IDMODE-}"
- shift
-fi
-
-PACKAGE=
-CHANGES=
-
-if echo "$1" | grep -q '_.*\.changes$'; then
- CHANGES="$1"
- PACKAGE=$(awk '/^Source: / {print $2}' $CHANGES)
-else
- PACKAGE="$(tolower "$1")"
-fi
-
-shift
-
-TYPE=security
-if [ regression = "$1" ]; then
- TYPE=regression
- shift
-fi
-
-CVE=
-BUGNUM=
-REFERENCES=0
-TEXT=
-
-while [ $# -gt 0 ]; do
- case "$1" in
- [cC][vV][eE]-*)
- CVE="$CVE $(toupper "$1")"
- ;;
- [0-9][0-9][0-9][0-9][0-9][0-9][0-9]|[#][0-9]*)
- BUGNUM="$BUGNUM ${1#\#}"
- ;;
- *)
- error "Don't know what to do with '$1' argument" >&2
- exit 1
- ;;
- esac
- shift
-done
-
-if ! [ -z "$CHANGES" ]; then
- # parse info from .changes file
- # Version can occur in GPG signature, thus we exit on first occurence
- version="$(awk '/^Version: / {print $2; exit 0}' $CHANGES)"
- dist="$(awk '/^Distribution: / {print $2}' $CHANGES | sed 's/-.*//')"
- export ${dist}_VERSION="$version"
-
- for bug in $(awk '/^Closes: / {sub(".*"$2,$2); print $0}' $CHANGES); do
- BUGNUM="$BUGNUM ${bug#\#}"
- done
- for cve in $(awk 'BEGIN {RS="[ ().,:;\n\\[\\]]" } /^CVE-[0-9]+-[0-9]+$/ {print $1}' $CHANGES); do
- CVE="$CVE $cve"
- done
-fi
-
-BUGNUM="$(split_n_sort "$BUGNUM")"
-
-CVE="$(split_n_sort "$CVE" -V)"
-cve_spacing="$(right_space '' 17)"
-
-sed_cmd='s/((CVE-[0-9-]+[ ]+){4})/\1\\n'"$cve_spacing"'/g;P;D'
-CVE_LIST="$(printf '%s' "$CVE" | sed -r "$sed_cmd")"
-
-for id in $CVE; do
- REFERENCES=$(($REFERENCES+1))
- grep -wq "^$id" data/CVE/list || {
- warn "'$id' is not known" >&2
- }
-
- TEXT="$TEXT\n\n$id\n\n Description"
-done
-
-if [ $REFERENCES -eq 1 ]; then
- TEXT=
-fi
-
-if [ -n "$TEXT" ]; then
- TEXT="Brief introduction $TEXT"
-
- if ! $save; then
- TEXT="The CVE ids will be listed here when --save'ing"
- fi
-fi
-
-case "$DAID" in
- *-*|'')
- :
- ;;
- *)
- notice "missing $IDMODE revision number, assuming 1" >&2
- DAID="$DAID-1"
- ;;
-esac
-
-daid_exists() {
- grep -wq "$IDMODE-$1" data/$IDMODE/list
-}
-
-if $embargoed; then
- DAID=EMBRGD-"$PACKAGE"
-fi
-
-if [ -z "$DAID" ]; then
- if [ "$TYPE" = regression ]; then
- latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)"
- revision=${latest_daid#*-}
- daid=${latest_daid%-*}
- else
- latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-1/{s/^.+'"$IDMODE"'-[0]*([0-9]+).*$/\1/;p;q}' data/$IDMODE/list)"
- daid=$(($latest_daid+1))
- revision=1
- fi
-
- c=0
- while daid_exists "$daid-$revision"; do
- if [ "$TYPE" = regression ]; then
- revision=$(($revision+1))
- else
- daid=$(($daid+1))
- fi
- c=$(($c+1))
- if [ $c -eq 10 ]; then
- error "unable to find an unused $IDMODE id after $c attempts" >&2
- error "to workaround specify an id as the first parameter" >&2
- exit 1
- fi
- done
- DAID="$daid-$revision"
-fi
-
-if daid_exists "$DAID"; then
- error "$IDMODE-$DAID has already been used" >&2
- exit 1
-fi
-
-if $unembargo; then
- EMBRGD_ID="EMBRGD-$PACKAGE"
- mv "$IDMODE-${EMBRGD_ID}" $IDMODE-"$DAID"
-
- # get the date of when the embargoed entry was generated
- gen_date="$(sed -rn "/$IDMODE-${EMBRGD_ID}/{s/^\[(.+)\].+$/\1/;p;t}" data/$IDMODE/list)"
-
- OLD_DATE="$(date -d "$gen_date" +"%B %d, %Y")"
- OLD_SPACEDDATE="$(right_space "$OLD_DATE" "$DATE_SPACING")"
-
- NEW_DATE="$(date +"%B %d, %Y")"
- NEW_SPACEDDATE="$(right_space "$NEW_DATE" "$DATE_SPACING")"
-
- sed -ri "/$IDMODE-${EMBRGD_ID}/{s/\[.+\]/[$(date +"%d %b %Y")]/;s/$IDMODE-${EMBRGD_ID}/$IDMODE-$DAID/;}" data/$IDMODE/list
- sed -i "s/${EMBRGD_ID}/$DAID/g" $IDMODE-"$DAID"
- sed -i "s/^$OLD_SPACEDDATE/$NEW_SPACEDDATE/" $IDMODE-"$DAID"
-
- echo "'Unembargoing' as $IDMODE-$DAID"
- exit
-fi
-
-tmpf=$(mktemp)
-cat doc/$IDMODE.template > $tmpf
-
-if [ "$TYPE" = regression ]; then
- sed -ri '/^Subject:/s/security update$/regression update/' $tmpf
-fi
-
-if [ $REFERENCES -gt 1 ]; then
- sed -ri 's/this problem has/these problems have/' $tmpf
-fi
-
-if [ -z "$DEBFULLNAME" ]; then
- "error: DEBFULLNAME env variable required"
- exit 1
-fi
-SPACEDDEBFULLNAME="$(left_space "$DEBFULLNAME" "$NAME_SPACING")"
-
-DATE="$(date +"%B %d, %Y")"
-SPACEDDATE="$(right_space "$DATE" "$DATE_SPACING")"
-
-setvar DEBEMAIL
-setvar DEBFULLNAME
-setvar SPACEDDEBFULLNAME
-setvar PACKAGE
-setvar CVE "$CVE_LIST"
-setvar ${IDMODE}ID "$DAID"
-setvar BUGNUM
-setvar SPACEDDATE
-setvar DATE
-setvar TEXT "${TEXT:-$IDMODE text goes here}"
-
-for dist in $RELEASES; do
- setvar $dist
-done
-
-DISTS=
-
-for dist in $CODENAMES; do
- version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')"
- if $save && [ -z "$version" ] && grep -q "${dist}_VERSION" "$tmpf"; then
- printf "Enter $dist's version [unset]: "
- read version
- if [ -n "$version" ]; then
- eval "${dist}_VERSION='$version'"
- fi
- fi
- [ -z "$version" ] || setvar "${dist}_VERSION" "$version"
- [ -z "$version" ] || DISTS="${DISTS},${dist}"
-done
-
-DISTS="${DISTS#,}"
-
-if [ -n "${DISTS}" ]; then
- bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE}
-fi
-
-if ! $save; then
- cat $tmpf
- echo
- echo " ---- "
- echo "Pass --save as the first parameter to save the text to $IDMODE-$DAID"
- echo "(the data/$IDMODE/list entry will also be added)"
- rm -f "$tmpf"
- exit
-else
- mv -i $tmpf "$IDMODE-$DAID" || { rm -f $tmpf; exit; }
-
- needed_file=data/"$(tolower "$IDMODE")"-needed.txt
-
- daid_entry=$(mktemp)
- cat <<EOF > $daid_entry
-[$(date +"%d %b %Y")] $IDMODE-$DAID $PACKAGE - $TYPE update
-EOF
-
- if [ "$CVE" ]; then
- printf "\t{%s}\n" "$CVE" >> $daid_entry
- fi
-
- for dist in $CODENAMES; do
- version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')"
- [ -z "$version" ] || \
- printf "\t[%s] - %s %s\n" "$dist" "$PACKAGE" "$version" >> $daid_entry
- done
- tmp_list="$(mktemp)"
- cat $daid_entry data/$IDMODE/list > $tmp_list
- cat $tmp_list > data/$IDMODE/list
- rm -f $tmp_list
- sed -rn '/^'"$PACKAGE"'(\/\w+)?(\s.*|$)\b/{: next;n;/^\s/b next;d};p' $needed_file > $needed_file.new
- mv $needed_file.new $needed_file
- echo "$IDMODE text written to ./$IDMODE-$DAID"
- if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then
- idmode=$(echo "$IDMODE" | tr A-Z a-z)
- if [ -n "${DISTS}" ]; then
- # in case the advisory applies to several dists, we only look for an
- # extra cve file in the first one
- DIST="`echo ${DISTS} | sed 's/,.*//'`"
- extracvefile=`jq -r ".distributions.${DIST}.maincvefile // empty" data/config.json`
- fi
- if [ -d .git ]; then
- echo "Made the following changes:"
- git diff -- data/$IDMODE/list data/CVE/list $extracvefile $needed_file
- if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then
- warn "did not make any changes to $needed_file - this may indicate duplicate work or misspelled package name"
- fi
- fi
- warn "you need to commit and push the changes to data/$IDMODE/list etc. to actually reserve the $IDMODE-$DAID number and avoid conflicts with others."
- if [ -d .git ]; then
- echo -n "Do you want to commit and push them now ? [Yn] "
- read reply
- if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then
- git add data/$IDMODE/list data/CVE/list $extracvefile $needed_file
- git commit -m "Reserve $IDMODE-$DAID for $PACKAGE"
- git push origin master
- fi
- fi
- fi
-fi
=====================================
bin/gen-DLA
=====================================
@@ -0,0 +1 @@
+gen-DSA
\ No newline at end of file
=====================================
bin/rejected-with-info deleted
=====================================
@@ -1,86 +0,0 @@
-#!/bin/sh
-
-####################
-# Copyright (C) 2011 by Raphael Geissert <geissert at debian.org>
-#
-#
-# This file is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This file is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this file. If not, see <https://www.gnu.org/licenses/>.
-####################
-
-set -eu
-
-list=data/CVE/list
-
-[ -f $list ] || {
- echo "error: $list doesn't exist" >&2
- exit 1
-}
-
-verbose=false
-if [ "${1:-}" = "--verbose" ]; then
- verbose=true
- shift
-fi
-
-regex='*'
-if [ -n "${1:-}" ]; then
- regex="${1:-}"
-fi
-
-condition=RESERVED
-case "$(basename "$0")" in
- reserved-*)
- condition=RESERVED
- ;;
- rejected-*)
- condition=REJECTED
- ;;
-esac
-
-condition_seen=false
-wanted=false
-cve=
-while read line; do
- case $line in
- CVE-$regex)
- cve="$line"
- condition_seen=false
- wanted=true
- ;;
- CVE-*)
- cve="$line"
- condition_seen=false
- wanted=false
- ;;
- *$condition)
- condition_seen=true
- ;;
- *)
- if ! $condition_seen || ! $wanted; then
- continue
- fi
- if [ "$cve" ]; then
- if $verbose; then
- printf "%s\n" "$cve"
- else
- printf "%s\n" "$(printf '%s' "$cve" | cut -d\ -f1)"
- fi
- cve=
- fi
- if $verbose; then
- printf "\t%s\n" "$line"
- fi
- ;;
- esac
-done < "$list"
=====================================
bin/rejected-with-info
=====================================
@@ -0,0 +1 @@
+reserved-but-public
\ No newline at end of file
=====================================
data/dla-needed.txt
=====================================
@@ -340,7 +340,7 @@ wordpress (guilhem)
NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html
NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk)
--
-xrdp (Dominik George)
+xrdp
NOTE: 20221225: Programming language: C.
NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith)
=====================================
doc/soriano.txt deleted
=====================================
@@ -1,109 +0,0 @@
-Tracker setup on soriano.debian.org
-===================================
-
-(This is internal documentation, in case things need to be fixed.
-It is not relevant to day-to-day editing tasks.)
-
-The code and data is organized via
-https://salsa.debian.org/security-tracker-team/
-
-Required packages for running the security-tracker are pulled in via the
-debian.org-security-tracker.debian.org . A mirror for to the packaging
-repository is at https://salsa.debian.org/dsa-team/mirror/debian.org,
-which creates the debian.org-security-tracker.debian.org binary package.
-
-Relevant files and directories
-------------------------------
-
-The tracker runs under the user ID "sectracker". Most of its files
-are stored in the directory /srv/security-tracker.debian.org/website:
-
- bin/cron invoked by cron once every minute
- bin/cron-hourly invoked by cron once every hour
- bin/cron-daily invoked by cron once every day
- bin/read-and-touch invoked by ~/.procmailrc
- bin/start-daemon invoked by cron at reboot
-
- security-tracker Git checkout
- security-tracker/bin/* main entry points, called bin bin/cron
- security-tracker/stamps/* files which trigger processing by bin/cron
-
-~sectracker/.procmailrc invokes bin/read-and-touch to create stamp
-files, which are then picked up by bin/cron. This is done to serialize
-change events in batches (e.g., commits originated from git).
-<sectracker at soriano.debian.org> is subscribed to these mailing lists to
-be notified of changes:
-
- <debian-security-announce at lists.debian.org>
- <debian-lts-announce at lists.debian.org>
- <debian-security-tracker-commits.alioth-lists.debian.net>
-
-The crontab of the "sectracker" user is set up such that the scripts
-are invoked as specified above.
-
-~sectracker/.wgetrc contains the path to the bundle of certificate
-authorities to verify peers for the data fetched via wget:
-
-ca-certificate=/etc/ssl/ca-global/ca-certificates.crt
-
-~sectracker/.curlrc contains a similar setting:
-
-capath=/etc/ssl/ca-global
-
-Web server
-----------
-
-80/TCP is handled by Apache. The Apache configuration is here:
-
- /srv/security-tracker.debian.org/etc/apache.conf
-
-mod_proxy is used to forward requests to the actual server which
-listens on 127.0.0.1:25648 and is started by a user systemd unit
-/srv/security-tracker.debian.org/website/systemd/tracker_service.service
-
-The user systemd unit needs to be activated and started once at initial
-setup of the host (including requesting DSA to activate lingering for
-the sectracker user):
-
-As the sectracker running user:
-
-systemctl --user enable --now /srv/security-tracker.debian.org/website/systemd/tracker_service.service
-
-To restart the security tracker service, restart the user systemd unit.
-
-Logging
--------
-
-Apache logs are stored in:
-
- /var/log/apache2/security-tracker.debian.org.access.log
- /var/log/apache2/security-tracker.debian.org.error.log
-
-The Python daemon writes logs to a separate file, too:
-
- /srv/security-tracker.debian.org/website/log/daemon.log
-
-This also contains the exception traces.
-
-debsecan metadata
------------------
-
-/srv/security-tracker.debian.org/website/bin/cron contains code which
-pushes updates to secure-testing-master, using rsync.
-
-PTS interface
--------------
-
-The PTS fetches bug counts from this URL:
-
- https://security-tracker.debian.org/tracker/data/pts/1
-
-Code updates
-------------
-
-Updates to the Git checkout only affect the directory
-/srv/security-tracker.debian.org/website/security-tracker/data. Code
-changes need to be applied manually by inspecting the changes done in
-the security-tracker.git.
-
-After that a service restart is needed (see above)
=====================================
doc/soriano.txt
=====================================
@@ -0,0 +1 @@
+setup.txt
\ No newline at end of file
=====================================
packages/openjdk-7.txt deleted
=====================================
@@ -1,21 +0,0 @@
-Build
------
-
-We follow the upstream releases in oldstable and stable, i.e. the version in sid
-is recompiled. The package scripts automatically create the control and rules
-with the appropriate dependencies.
-
-- You need to download the fixed package from unstable
-- Modify the version number to something like 6b31-1.13.3-1~deb7u1
-- Regenerate the control/rules file: (squeeze is also supported)
- touch debian/control.in; debian/rules debian/control distrel=wheezy
-- Build with "-sa" (since each security update usually updates to a new release)
-
-Testing
--------
-
-OpenJDK has an extensive test suite, the result should be compared with previous
-build logs.
-
-Other than that some functionality tests of Java packages in the archive or with
-openjdk-6-demos.
=====================================
packages/openjdk-7.txt
=====================================
@@ -0,0 +1 @@
+openjdk-6.txt
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49375e474bee4d9a5ee23e44d9257f89d8eaa9ec
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49375e474bee4d9a5ee23e44d9257f89d8eaa9ec
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230327/ee30b8b6/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list