[Secure-testing-team] Proposed syntax changes for CAN/list / finalization phase

Moritz Muehlenhoff jmm at inutil.org
Fri Sep 23 20:53:49 UTC 2005 

Hi,
as discussed we should implement some changes to our CAN/list and possibly 
finalize it as well.

1. The unfixed tag should be pulled out from the brackets and moved to
   the place, where the actual fix would belong to. This makes things
   much more structured and logical.

CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to overwrite ...)
        - texinfo (unfixed; bug #328265; low)

   would become

CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to overwrite ...)
        - texinfo unfixed (bug #328265; low)

2. Issues, that we don't currently can research on our own should be moved from
   TODO: to HELP:. A website is generated from the HELP entries and linked from
   secure-testing.debian.net.

3. REJECTED: replaces the current NOTE: rejected, after the : a reason of cross reference
   may follow (free form).

4. RESERVED replaces the current NOTE: reserved

5. To track ITPs more cleanly we should add them like this (the source package name
   is the one for which the ITP has been filed, but instead of a version number they
   get an itp entry. The referenced bug# number is the ITP's bug number, so that we
   can track, whether it get closed and react upon it.

CAN-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and ...)
        - mediawiki itp (bug #276057; bug #217571)

6. For syntactical clarity cross references in {} should only be allowed directly
   after the CVE line.

7. After some more thought, I agree with Florian's argument that

   NOT-FOR-US: Ueberl00t BBS Board

   is a better solution than

   NOTE: not-for-us (Ueberl00t BBS Board).

   The first one permits as to have a concrete machine-parseable solution for each
   security issue, while we can use NOTE: to give additinal free-form information.
   This will be a big diff, but I think it's worth the effort.

I also agree with your FIXES: proposal for DSA/list.

Please review and let's finalize the format somehow.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list