diff options
| author | Joey Hess <joeyh@debian.org> | 2005-08-26 20:24:15 +0000 |
|---|---|---|
| committer | Joey Hess <joeyh@debian.org> | 2005-08-26 20:24:15 +0000 |
| commit | 1eeb0b6a7142b3a259e60c74a0ec112b554429f5 (patch) | |
| tree | f06ae4028d9d5694fabe449cd0dda4308d7cacbd | |
| parent | 9f9c33f8f34dcd824d436f2558e3eb3610386193 (diff) | |
- add support for DTSAs, with a new DTDA directory, a script to generate
them, etc
- automatic db update with DTSA
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@1660 e39458fd-73e7-0310-bf30-c45bca0a0e42
| -rw-r--r-- | TODO | 15 | ||||
| -rw-r--r-- | data/CAN/Makefile | 2 | ||||
| -rw-r--r-- | data/CAN/list | 6 | ||||
| -rw-r--r-- | data/CVE/Makefile | 2 | ||||
| -rw-r--r-- | data/DTSA/DTSA-1-1 | 55 | ||||
| -rw-r--r-- | data/DTSA/list | 3 | ||||
| -rwxr-xr-x | data/DTSA/mkadvisory | 119 | ||||
| -rw-r--r-- | data/DTSA/template | 44 | ||||
| -rwxr-xr-x | data/checklist | 4 | ||||
| -rwxr-xr-x | data/updatelist | 45 | ||||
| -rw-r--r-- | doc/announce.2 | 65 | ||||
| -rw-r--r-- | website/index.html | 7 |
12 files changed, 322 insertions, 45 deletions
@@ -1,12 +1,5 @@ * Set up for DTSAs - - Procedure for DTSA number assignment. - - - Need a way to generate a DTSA given a set of .changes files - for the packages/architectures that will be in the DTSA. The amber - program in katie can do this, but is not designed for our situation. - Something based on amber's template needs to be implemented. - - Need a way for team members to hint packages from etch-proposed-updates to etch on secure-testing-master. Hint files similar to those used by release team? @@ -14,10 +7,12 @@ - Need a way to do an advisory for some arches and then auto-sync the rest as they get built. - - Web display of DTSAs + - Web display of DTSAs. - - Integrate DTSAs into checklist script, so it stops listing holes that - have had a DTSA issued. + - Better integrate DTSAs into checklist script, so it stops listing holes + that have had a DTSA issued. + + - Auto moderation of developer signed mails to -announce. * Merge stuff into security.debian.org. Long term, but we need to keep in mind that the current setup is just to get bootstrapped. diff --git a/data/CAN/Makefile b/data/CAN/Makefile index 12fd0fcb7c..81e5d50af7 100644 --- a/data/CAN/Makefile +++ b/data/CAN/Makefile @@ -1,5 +1,5 @@ update: rm -f full-can.html wget --quiet http://www.cve.mitre.org/cve/candidates/downloads/full-can.html - ../updatelist full-can.html ../DSA/list list > list.new + ../updatelist full-can.html ../DSA/list ../DTSA/list list > list.new mv -f list.new list diff --git a/data/CAN/list b/data/CAN/list index 5c61db9ef1..3bdca0be4b 100644 --- a/data/CAN/list +++ b/data/CAN/list @@ -156,8 +156,10 @@ CAN-2005-2629 CAN-2005-2628 NOTE: reserved CAN-2005-2627 (Multiple integer underflows in Kismet before 2005-08-R1 allow remote ...) + {DTSA-1-1} - kismet 2005.08.R1-1 (bug #323386; high) CAN-2005-2626 (Unspecified vulnerability in Kismet before 2005-08-R1 allows remote ...) + {DTSA-1-1} - kismet 2005.08.R1-1 (bug #323386; high) CAN-2004-2476 (Microsoft Internet Explorer 6.0 allows remote attackers to cause a ...) NOTE: not-for-us (MS IE) @@ -3823,12 +3825,14 @@ CAN-2005-1859 (Unknown vulnerability in arshell in the Array Service (arrayd) fo NOTE: not-for-us (arshell) CAN-2005-1857 NOTE: reserved + {DSA-786-1} CAN-2005-1856 [backup-manager: Potential symlink attack through hard coded file name] NOTE: reserved - {DSA-786-1} + {DSA-787-1} - backup-manager 0.5.8-2 (low) CAN-2005-1855 [Insecure default permissions in backup-manager] NOTE: reserved + {DSA-787-1} - backup-manager 0.5.8-2 (medium) CAN-2005-1854 (Unknown vulnerability in apt-cacher in Debian 3.1, related to "missing ...) {DSA-772-1} diff --git a/data/CVE/Makefile b/data/CVE/Makefile index a31360f038..0f44b7885e 100644 --- a/data/CVE/Makefile +++ b/data/CVE/Makefile @@ -1,5 +1,5 @@ update: rm -f full-cve.html wget --quiet http://www.cve.mitre.org/cve/downloads/full-cve.html - ../updatelist full-cve.html ../DSA/list list > list.new + ../updatelist full-cve.html ../DSA/list ../DTSA/list list > list.new mv -f list.new list diff --git a/data/DTSA/DTSA-1-1 b/data/DTSA/DTSA-1-1 new file mode 100644 index 0000000000..bc5baf1f84 --- /dev/null +++ b/data/DTSA/DTSA-1-1 @@ -0,0 +1,55 @@ +------------------------------------------------------------------------------ +Debian Testing Security Advisory DTSA-1-1 http://secure-testing.debian.net +secure-testing-team@lists.alioth.debian.org Joey Hess +August 26th, 2005 +------------------------------------------------------------------------------ + +Package : kismet +Vulnerability : remote code execution +Problem-Type : remote +Debian-specific: no +CVE ID : CAN-2005-2626 CAN-2005-2627 + +Multiple security holes have been discovered in kismet: + + CAN-2005-2627 + + Multiple integer underflows in Kismet allow remote attackers to execute + arbitrary code via (1) kernel headers in a pcap file or (2) data frame + dissection, which leads to heap-based buffer overflows. + + CAN-2005-2626 + + Unspecified vulnerability in Kismet allows remote attackers to have an + unknown impact via unprintable characters in the SSID. + +For the testing distribution (etch) this is fixed in version +2005.08.R1-0.1etch1. + +For the unstable distribution (sid) this is fixed in version +2005.08.R1-1. + +This upgrade is strongly recommended if you use kismet. + +The Debian testing security team does not track security issues for the +stable distribution (woody). If stable is vulnerable, the Debian security +team will make an announcement once a fix is ready. + +Upgrade Instructions +-------------------- + +To use the Debian testing security archive, add the following lines to +your /etc/apt/sources.list: + + deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + +The archive signing key can be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +To install the update, run this command as root: + + apt-get update && apt-get install kismet + +For further information about the Debian testing security team, please refer +to http://secure-testing.debian.net/ diff --git a/data/DTSA/list b/data/DTSA/list new file mode 100644 index 0000000000..4dc23247ca --- /dev/null +++ b/data/DTSA/list @@ -0,0 +1,3 @@ +[26 Aug 2005] DTSA-1-1 kismet - remote code execution + {CAN-2005-2626 CAN-2005-2627} + - kismet 2005.08.R1-0.1etch1 (high) diff --git a/data/DTSA/mkadvisory b/data/DTSA/mkadvisory new file mode 100755 index 0000000000..896c05ef74 --- /dev/null +++ b/data/DTSA/mkadvisory @@ -0,0 +1,119 @@ +#!/usr/bin/perl +# Generate an advisory using a template. +use strict; +use warnings; +use User::pwent; +use Date::Format; +use Term::ReadLine; + +my $prefix="DTSA"; +my $advisory=getadvisory(); + +my %subst; +my %substchoices=( + DEBIAN_SPECIFIC => ["no","yes"], + TYPE => ["local", "remote"], +); +my %urgencytorecommendation=( + high => "strongly recommended", + medium => "recommended", + low => "encouraged", +); +my $term = Term::ReadLine->new("mkadvisory"); + +sub getsubst { + my $in=shift; + # Use any numer of X's around the left or right side of a + # variable to pad it to its max width, this will be turned + # into spaces for alignment. + my ($lpad, $var, $rpad)=$in=~/(X*)([^X]+)(X*)/; + $lpad=length($lpad); + $rpad=length($rpad); + + if (! exists $subst{$var}) { + if ($var eq 'ADVISORY') { + $subst{$var}=$advisory; + } + elsif ($var eq 'WHOAMI') { + my ($fullname, $office, $workphone, $homephone) = + split /\s*,\s*/, getpwuid($<)->gecos; + $subst{$var}=$fullname; + } + elsif ($var eq 'DATE') { + $subst{$var}=time2str("%B %o, %Y", time, "UTC"); + } + elsif ($var eq 'UPGRADE_RECOMMENDATION') { + print "Choose from ".join(", ", keys %urgencytorecommendation)."\n"; + while ($subst{URGENCY}=$term->readline("URGENCY: ", 'high')) { + if (exists $urgencytorecommendation{$subst{URGENCY}}) { + last; + } + } + $subst{$var}=$urgencytorecommendation{$subst{URGENCY}}; + } + else { + if (exists($substchoices{$var})) { + print "Choose from ".join(", ", @{$substchoices{$var}})."\n"; + $subst{$var}=$term->readline("$var: ", $substchoices{$var}->[0]); + } + else { + $subst{$var}=$term->readline("$var: "); + } + } + } + my $ret=$subst{$var}; + if ($lpad && length($ret) < length($in) + 4) { + $ret=(" " x (length($in) + 4 - length($ret))).$ret; + } + if ($rpad && length($ret) < length($in) + 4) { + $ret.=(" " x (length($in) + 4 - length($ret))); + } + return $ret; +} + +# Get the advisory number. If a parameter is passed, use that as the +# number, otherwise, find the next unused one. +sub getadvisory { + my $num; + if (@ARGV) { + $num=shift; + } + else { + $num=1; + foreach my $file (glob("$prefix-*")) { + my ($major, $minor)=$file=~/$prefix-(.*)-(.*)/; + if ($major >= $num) { + $num=$major+1; + } + } + $num="$num-1"; + } + if (-e "$prefix-$num") { + die "$prefix-$num already exists\n"; + } + return "$prefix-$num"; +} + +print "Creating $advisory ...\n"; +open (OUT, ">$advisory") || die "write $advisory: $!"; +open (TEMPLATE, "template") || die "read template: $!"; +while (<TEMPLATE>) { + s/__([A-Z_]+)__/getsubst($1)/eg; + print OUT; +} +close TEMPLATE; +close OUT; + +print "Adding to list ...\n"; +open (IN, "list") || die "read list: $!"; +my @list=<IN>; +close IN; +open (OUT,">list") || die "write list: $!"; +print OUT "[".time2str("%e %b %Y", time, "UTC")."] $advisory $subst{PACKAGE} - $subst{SHORTDESC}\n"; +print OUT "\t{$subst{CVE}}\n" if length $subst{CVE}; +print OUT "\t- $subst{PACKAGE} $subst{TESTINGVER} ($subst{URGENCY})\n"; +print OUT @list; +close OUT; + +print "Editing $advisory ...\n"; +exec("sensible-editor", $advisory); diff --git a/data/DTSA/template b/data/DTSA/template new file mode 100644 index 0000000000..919f6ad127 --- /dev/null +++ b/data/DTSA/template @@ -0,0 +1,44 @@ +------------------------------------------------------------------------------ +Debian Testing Security Advisory __ADVISORYX__http://secure-testing.debian.net +secure-testing-team@lists.alioth.debian.org __XXXXXXXXXXXXXXXXXXXXXXXWHOAMI__ +__DATE__ +------------------------------------------------------------------------------ + +Package : __PACKAGE__ +Vulnerability : __SHORTDESC__ +Problem-Type : __TYPE__ +Debian-specific: __DEBIAN_SPECIFIC__ +CVE ID : __CVE__ + +__DESCRIPTION__ + +For the testing distribution (etch) this is fixed in version +__TESTINGVER__. + +For the unstable distribution (sid) this is fixed in version +__UNSTABLEVER__. + +This upgrade is __UPGRADE_RECOMMENDATION__ if you use __PACKAGE__. + +The Debian testing security team does not track security issues for the +stable distribution (woody). If stable is vulnerable, the Debian security +team will make an announcement once a fix is ready. + +Upgrade Instructions +-------------------- + +To use the Debian testing security archive, add the following lines to +your /etc/apt/sources.list: + + deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + +The archive signing key can be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +To install the update, run this command as root: + + apt-get update && apt-get install __PACKAGE__ + +For further information about the Debian testing security team, please refer +to http://secure-testing.debian.net/ diff --git a/data/checklist b/data/checklist index c621ddd8b2..628ff1accd 100755 --- a/data/checklist +++ b/data/checklist @@ -82,9 +82,9 @@ foreach my $list (@ARGV) { print STDERR "line: $_" if $debug; chomp; if (/^\[/) { - ($id)=m/((?:DSA|CAN|CVE)-[^\s]+) /; + ($id)=m/((?:DSA|DTSA|CAN|CVE)-[^\s]+) /; } - elsif (/^((?:DSA|CAN|CVE)-[^\s]+)/) { + elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) { $id=$1; } elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) { diff --git a/data/updatelist b/data/updatelist index 577684147d..91f27000b8 100755 --- a/data/updatelist +++ b/data/updatelist @@ -1,30 +1,37 @@ #!/usr/bin/perl my $full_can_html=shift; my $dsa_list=shift; +my $dtsa_list=shift; my $our_list=shift; my %cans; -open (DSA, "<$dsa_list") || die "$dsa_list: $!\n"; -my $dsa; -while (<DSA>) { - if (/^\[/) { - ($dsa)=m/(DSA-.*?) /; - } - if (/\{(CAN|CVE)/) { - my ($canlist)=m/\{(.*)\}/; - foreach my $can (split ' ', $canlist) { - $can=~s/CVE-/CAN-/g; - next unless $can=~/^CAN-\d+/; - $cans{$can}{can}=$can; - push @{$cans{$can}{dsa}}, $dsa; - $can=~s/CAN-/CVE-/g; - $cans{$can}{can}=$can; - push @{$cans{$can}{dsa}}, $dsa; +sub read_dsa { + my $list=shift; + + open (DSA, "<$list") || die "$list: $!\n"; + my $dsa; + while (<DSA>) { + if (/^\[/) { + ($dsa)=m/(DT?SA-.*?) /; + } + if (/\{(CAN|CVE)/) { + my ($canlist)=m/\{(.*)\}/; + foreach my $can (split ' ', $canlist) { + $can=~s/CVE-/CAN-/g; + next unless $can=~/^CAN-\d+/; + $cans{$can}{can}=$can; + push @{$cans{$can}{dsa}}, $dsa; + $can=~s/CAN-/CVE-/g; + $cans{$can}{can}=$can; + push @{$cans{$can}{dsa}}, $dsa; + } } } + close DSA; } -close DSA; +read_dsa($dsa_list); +read_dsa($dtsa_list); my %listedcans; @@ -102,10 +109,10 @@ while (<IN>) { elsif (/^\s+NOTE:\s*(reserved|rejected)\s*$/) { # skip it } - elsif (/^\s+NOTE: covered by DSA.*/) { + elsif (/^\s+NOTE: covered by DT?SA.*/) { # skip it (old form) } - elsif (/^\s+{DSA.*/) { + elsif (/^\s+{DT?SA.*/) { # skip } elsif (/^\s+(.*)/ && $can) { diff --git a/doc/announce.2 b/doc/announce.2 index 187e56e0de..ab595671b9 100644 --- a/doc/announce.2 +++ b/doc/announce.2 @@ -3,10 +3,18 @@ DRAFT. Slashdot on penalty of death. DRAFT Subject: announcing the beginning of security support for testing +----------------------------------------------------------------------------- +Debian Testing Security Team http://secure-testing.debian.net +Security support for testing secure-testing-team@lists.alioth.debian.org +August 26th, 2005 +----------------------------------------------------------------------------- + +Security support for testing + The Debian testing security team is pleased to announce the beginning of full security support for Debian's testing distribution. We have spent the past year building the team, tracking and fixing security holes, and -creating our infrastructure, and now the final piece is in place, and +creating our infrastructure, and now the final pieces are in place, and we are able to offer security updates and advisories for testing. We invite Debian users who are currently running testing, or who would like @@ -19,21 +27,60 @@ and run "apt-get update && apt-get upgrade" to make the security updates available: deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free +deb-src http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free -Note that some initial advisories have already been posted to the list -and are already available in the repository. These include: +Some initial advisories have already been posted to the list and are already +available in the repository. These include: DTSA-1-1 kismet - XXXXXX complete Note that this announcement does not mean that testing is free of security issues. Several security issues are present in unstable, and an even larger -quantity are present in testing. Our beginning of security support only -means that we are now able to begin making security fixes available for -testing nearly as quickly as for unstable. The testing security team makes -statistics about what security holes are still open available on our -website, and users should use this information to make their own decision -about whether testing is secure enough for production use. +number are present in testing. Our beginning of security support only means +that we are now able to begin making security fixes available for testing +nearly as quickly as for unstable. The testing security team's website has +information about what security holes are still open, and users should use +this information to make their own decision about whether testing is secure +enough for production use. For more information about the testing security team, see our web site. <http://secure-testing.alioth.debian.org/>. + +---------------------------------------------------------------------------- + +The archive signing key that is used to sign the apt repository is +included below and can also be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.1 (GNU/Linux) + +mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b +yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq +zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss +HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo +SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y +KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr +Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q +HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ +qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl +c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k +ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB +Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF +YldbZt/zYA53k2/y2m+s7LkCDQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkP +LNKcH1O/og2mID8/gBV99LRfRnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezq +H+2agIra78dfb0B1AyHuvwSRMc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZum +ecqkNSQVOkqeAOl2JIQ/xBkLg1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEW +Atg54CD9uRbfSwnd2uYHYcosmBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6S +nbhB4t3vk/AnEsPJixtW/tOC3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgA +gNtB3u8TCN2Z4wkKrg19LohivQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEu +e/4wBOta3a9pUpVdMgRFL1UuJy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2 +lwkrT1b5GdFBSRn8hsuRtZi69QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxy +ZWRoqiSIl7mRLHp2tuFw9chgJ1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4 +rktZAqG2blwVpC2DLLiQSqcYS5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJ +ZIq2hzbazsyg2Sd3vhmZuohPBBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGH +IuceRqUAn3Q8msRUTsp882QINWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxp +Qg== +=KBNL +-----END PGP PUBLIC KEY BLOCK----- diff --git a/website/index.html b/website/index.html index eb19fa66ef..f9a16ded50 100644 --- a/website/index.html +++ b/website/index.html @@ -42,7 +42,9 @@ repository: <pre> deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free + deb-src http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free </pre> + The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>. </p> <h1>Data sources</h1> @@ -108,17 +110,18 @@ including builds for all other architectures: <pre> deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free </pre> Build logs can be found <a href="http://experimental.debian.net/">here</a>. </li> <li> Once everything is ready, contact a team member to create a DSTA annoucement - (procedure pending), contact a secure-testing-master admin + (using data/DTSA/mkadvisory), contact a secure-testing-master admin to move the upload from etch-proposed-updates to etch (using something like this, but the procedure is still being worked out: madison -s etch-proposed-updates -f heidi -S $package | sudo -u katie heidi -a etch) - and send the DSTA to secure-testing-announce. + and send the signed DSTA to secure-testing-announce. </li> </ol> </p> |