[Secure-testing-team] Introducing <no-dsa>
Moritz Muehlenhoff
jmm at inutil.org
Sun Jan 1 23:14:33 UTC 2006
Florian Weimer wrote:
> > [distribution-tags] - packagename <no-dsa> (This explains, why there is no DSA)
>
> I'm wondering if this is the correct format. Wouldn't it make sense
> to generate a web page for http://www.debian.org/security/ from this
> data? If yes, you might want to have a bit more space for
> explanations than that.
At a later stage this could be used to generate
http://www.debian.org/security/nonvulns-sarge and the like, yes. These
explanations are also only a single line. If there's the need for a
more verbose form the bug should cover it anyway.
But I'd like to have this information in the tracker.
> > Florian, please tell me, when you've added this to the Python-lib
> > and debsecan, afterwards I'll add some entries to CVE/list.
>
> I'm not sure how to flag this in debsecan. Could you give a few
> examples how you would use this tag?
This would be an example:
CVE-2005-4357 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when ...)
[sarge] - phpbb2 <no-dsa> (Affects only a config option that is inherently insecure)
In this case the phpbb maintainers decided that a fix is not necessary because they
strongly discourage the use of that specific configuration option and it is
therefore not supported, so no DSA would be issued.
Other examples would be entries for non-free packages or where a fix for a minor
problem would be too intrusive.
So, maybe debsecan could list these issues as "unfixed for a reason"? Or you
simply leave them as unfixed, but please ensure that the Python lib doesn't
choke about the new syntax element.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list