diff options
author | Dominik George <natureshadow@debian.org> | 2023-03-27 12:59:45 +0200 |
---|---|---|
committer | Dominik George <natureshadow@debian.org> | 2023-03-27 12:59:45 +0200 |
commit | 49375e474bee4d9a5ee23e44d9257f89d8eaa9ec (patch) | |
tree | a69bc53efcaa93e0930d8730f09730d2116602d4 | |
parent | 7816c862df2fc979aebce9f072e3cbf3d84c253c (diff) |
Revert "Claim xrdp"
This reverts commit 7816c862df2fc979aebce9f072e3cbf3d84c253c.
l---------[-rwxr-xr-x] | bin/gen-DLA | 442 | ||||
l---------[-rwxr-xr-x] | bin/rejected-with-info | 87 | ||||
-rw-r--r-- | data/dla-needed.txt | 2 | ||||
l---------[-rw-r--r--] | doc/soriano.txt | 110 | ||||
l---------[-rw-r--r--] | packages/openjdk-7.txt | 22 |
5 files changed, 5 insertions, 658 deletions
diff --git a/bin/gen-DLA b/bin/gen-DLA index 7d43c59bd0..0d23e68f18 100755..120000 --- a/bin/gen-DLA +++ b/bin/gen-DLA @@ -1,441 +1 @@ -#!/bin/sh - -#################### -# Copyright (C) 2011, 2012, 2013, 2014 by Raphael Geissert <geissert@debian.org> -# -# -# This file is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This file is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this file. If not, see <https://www.gnu.org/licenses/>. -#################### - -set -e - -IDMODE=DSA -case "$(basename "$0")" in - *gen-*) - IDMODE=${0#*gen-} - ;; -esac - -if ! command -v jq >/dev/null ; then - echo "error: jq is needed to parse distributions, please install it" - exit 1 -fi - -RELEASES=`jq -r '.distributions | to_entries[] | select(.value.release) | .value.release | ascii_upcase' data/config.json` -CODENAMES=`jq -r '.distributions | to_entries[] | select(.value.release) | .key' data/config.json` - -while read dist; do - read codename - eval $dist=$codename -done << EOF -`jq -r '.distributions | to_entries[] | select(.value.release) | (.value.release | ascii_upcase), .key' data/config.json` -EOF - -NAME_SPACING=24 -DATE_SPACING=22 - -export LC_ALL=C - -[ -f doc/$IDMODE.template ] || { - echo "error: call this script from the root of the repository" >&2 - exit 1 -} - -[ $# -ge 1 ] || { - echo "usage: $0 [--save] [--embargoed|--unembargo] [$IDMODE] package[.changes] [regression] [cve(s) [bugnumber(s)]] " - echo " '$IDMODE' is the $IDMODE number, required when issuing a revision" - echo " 'cve(s)' and 'bugnumber(s)' can be passed in any order but" - echo " always AFTER the description" - echo "" - echo " When specifying package.changes the package name, version, additional bug(s) and cve(s)" - echo " are parsed from the .changes file." - echo "" - echo " If it doesn't like your bug number, prefix it with # and report" - exit 1 -} >&2 - -save=false -if [ "$1" = "--save" ]; then - save=true - shift -fi - -embargoed=false -if [ "$1" = "--embargoed" ]; then - embargoed=true - shift -fi - -unembargo=false -if [ "$1" = "--unembargo" ]; then - unembargo=true - shift - set -- "$1" -fi - -toupper() { - printf '%s' "$1" | tr '[:lower:]' '[:upper:]' -} - -tolower() { - printf '%s' "$1" | tr '[:upper:]' '[:lower:]' -} - -split_n_sort() { - printf '%s' "$1" | sed -r 's/[ ,;]+/ /g;s/^ //' | tr ' ' "\n" | sort -u | - sort ${2:--n} | tr "\n" ' ' | sed -r 's/\s+/ /g;s/\s$//' -} - -_d_space() { - local direction="$1" text="$2" to_length="$3" - local right='' left='' output='' spacing=0 - - if [ "$direction" = 'right' ]; then - right=' ' - elif [ "$direction" = 'left' ]; then - left=' ' - else - echo FIXME >&2 - exit 1 - fi - - spacing=$(($to_length-${#text})) - output="$text" - while [ $spacing -gt 0 ]; do - output="${left}${output}${right}" - spacing=$((spacing-1)) - done - printf '%s' "$output" -} - -left_space() { - _d_space left "$@" -} - -right_space() { - _d_space right "$@" -} - -warn() { - printf "${YELLOW}warning:${NORMAL} %s\n" "$1" -} - -notice() { - printf "${MAGENTA}notice:${NORMAL} %s\n" "$1" -} - -error() { - printf "${RED}error:${NORMAL} %s\n" "$1" -} - -setvar() { - local var="$1" value="$2" - - if [ -z "$value" ]; then - value="$(eval 'printf "%s" "$'"$var"'"')" - fi - - sed -i "s=\$$var=$value=g" "$tmpf" -} - -if command -v tput >/dev/null; then - RED=$(tput setaf 1) - YELLOW=$(tput setaf 3) - MAGENTA=$(tput setaf 5) - NORMAL=$(tput op) -else - RED='' - YELLOW='' - MAGENTA='' - NORMAL='' -fi - -DAID= -if printf '%s' "$1" | grep -Eq '^('"$IDMODE"'-|)[0-9]+(-[0-9]+|)$'; then - DAID="${1#$IDMODE-}" - shift -fi - -PACKAGE= -CHANGES= - -if echo "$1" | grep -q '_.*\.changes$'; then - CHANGES="$1" - PACKAGE=$(awk '/^Source: / {print $2}' $CHANGES) -else - PACKAGE="$(tolower "$1")" -fi - -shift - -TYPE=security -if [ regression = "$1" ]; then - TYPE=regression - shift -fi - -CVE= -BUGNUM= -REFERENCES=0 -TEXT= - -while [ $# -gt 0 ]; do - case "$1" in - [cC][vV][eE]-*) - CVE="$CVE $(toupper "$1")" - ;; - [0-9][0-9][0-9][0-9][0-9][0-9][0-9]|[#][0-9]*) - BUGNUM="$BUGNUM ${1#\#}" - ;; - *) - error "Don't know what to do with '$1' argument" >&2 - exit 1 - ;; - esac - shift -done - -if ! [ -z "$CHANGES" ]; then - # parse info from .changes file - # Version can occur in GPG signature, thus we exit on first occurence - version="$(awk '/^Version: / {print $2; exit 0}' $CHANGES)" - dist="$(awk '/^Distribution: / {print $2}' $CHANGES | sed 's/-.*//')" - export ${dist}_VERSION="$version" - - for bug in $(awk '/^Closes: / {sub(".*"$2,$2); print $0}' $CHANGES); do - BUGNUM="$BUGNUM ${bug#\#}" - done - for cve in $(awk 'BEGIN {RS="[ ().,:;\n\\[\\]]" } /^CVE-[0-9]+-[0-9]+$/ {print $1}' $CHANGES); do - CVE="$CVE $cve" - done -fi - -BUGNUM="$(split_n_sort "$BUGNUM")" - -CVE="$(split_n_sort "$CVE" -V)" -cve_spacing="$(right_space '' 17)" - -sed_cmd='s/((CVE-[0-9-]+[ ]+){4})/\1\\n'"$cve_spacing"'/g;P;D' -CVE_LIST="$(printf '%s' "$CVE" | sed -r "$sed_cmd")" - -for id in $CVE; do - REFERENCES=$(($REFERENCES+1)) - grep -wq "^$id" data/CVE/list || { - warn "'$id' is not known" >&2 - } - - TEXT="$TEXT\n\n$id\n\n Description" -done - -if [ $REFERENCES -eq 1 ]; then - TEXT= -fi - -if [ -n "$TEXT" ]; then - TEXT="Brief introduction $TEXT" - - if ! $save; then - TEXT="The CVE ids will be listed here when --save'ing" - fi -fi - -case "$DAID" in - *-*|'') - : - ;; - *) - notice "missing $IDMODE revision number, assuming 1" >&2 - DAID="$DAID-1" - ;; -esac - -daid_exists() { - grep -wq "$IDMODE-$1" data/$IDMODE/list -} - -if $embargoed; then - DAID=EMBRGD-"$PACKAGE" -fi - -if [ -z "$DAID" ]; then - if [ "$TYPE" = regression ]; then - latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)" - revision=${latest_daid#*-} - daid=${latest_daid%-*} - else - latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-1/{s/^.+'"$IDMODE"'-[0]*([0-9]+).*$/\1/;p;q}' data/$IDMODE/list)" - daid=$(($latest_daid+1)) - revision=1 - fi - - c=0 - while daid_exists "$daid-$revision"; do - if [ "$TYPE" = regression ]; then - revision=$(($revision+1)) - else - daid=$(($daid+1)) - fi - c=$(($c+1)) - if [ $c -eq 10 ]; then - error "unable to find an unused $IDMODE id after $c attempts" >&2 - error "to workaround specify an id as the first parameter" >&2 - exit 1 - fi - done - DAID="$daid-$revision" -fi - -if daid_exists "$DAID"; then - error "$IDMODE-$DAID has already been used" >&2 - exit 1 -fi - -if $unembargo; then - EMBRGD_ID="EMBRGD-$PACKAGE" - mv "$IDMODE-${EMBRGD_ID}" $IDMODE-"$DAID" - - # get the date of when the embargoed entry was generated - gen_date="$(sed -rn "/$IDMODE-${EMBRGD_ID}/{s/^\[(.+)\].+$/\1/;p;t}" data/$IDMODE/list)" - - OLD_DATE="$(date -d "$gen_date" +"%B %d, %Y")" - OLD_SPACEDDATE="$(right_space "$OLD_DATE" "$DATE_SPACING")" - - NEW_DATE="$(date +"%B %d, %Y")" - NEW_SPACEDDATE="$(right_space "$NEW_DATE" "$DATE_SPACING")" - - sed -ri "/$IDMODE-${EMBRGD_ID}/{s/\[.+\]/[$(date +"%d %b %Y")]/;s/$IDMODE-${EMBRGD_ID}/$IDMODE-$DAID/;}" data/$IDMODE/list - sed -i "s/${EMBRGD_ID}/$DAID/g" $IDMODE-"$DAID" - sed -i "s/^$OLD_SPACEDDATE/$NEW_SPACEDDATE/" $IDMODE-"$DAID" - - echo "'Unembargoing' as $IDMODE-$DAID" - exit -fi - -tmpf=$(mktemp) -cat doc/$IDMODE.template > $tmpf - -if [ "$TYPE" = regression ]; then - sed -ri '/^Subject:/s/security update$/regression update/' $tmpf -fi - -if [ $REFERENCES -gt 1 ]; then - sed -ri 's/this problem has/these problems have/' $tmpf -fi - -if [ -z "$DEBFULLNAME" ]; then - "error: DEBFULLNAME env variable required" - exit 1 -fi -SPACEDDEBFULLNAME="$(left_space "$DEBFULLNAME" "$NAME_SPACING")" - -DATE="$(date +"%B %d, %Y")" -SPACEDDATE="$(right_space "$DATE" "$DATE_SPACING")" - -setvar DEBEMAIL -setvar DEBFULLNAME -setvar SPACEDDEBFULLNAME -setvar PACKAGE -setvar CVE "$CVE_LIST" -setvar ${IDMODE}ID "$DAID" -setvar BUGNUM -setvar SPACEDDATE -setvar DATE -setvar TEXT "${TEXT:-$IDMODE text goes here}" - -for dist in $RELEASES; do - setvar $dist -done - -DISTS= - -for dist in $CODENAMES; do - version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')" - if $save && [ -z "$version" ] && grep -q "${dist}_VERSION" "$tmpf"; then - printf "Enter $dist's version [unset]: " - read version - if [ -n "$version" ]; then - eval "${dist}_VERSION='$version'" - fi - fi - [ -z "$version" ] || setvar "${dist}_VERSION" "$version" - [ -z "$version" ] || DISTS="${DISTS},${dist}" -done - -DISTS="${DISTS#,}" - -if [ -n "${DISTS}" ]; then - bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE} -fi - -if ! $save; then - cat $tmpf - echo - echo " ---- " - echo "Pass --save as the first parameter to save the text to $IDMODE-$DAID" - echo "(the data/$IDMODE/list entry will also be added)" - rm -f "$tmpf" - exit -else - mv -i $tmpf "$IDMODE-$DAID" || { rm -f $tmpf; exit; } - - needed_file=data/"$(tolower "$IDMODE")"-needed.txt - - daid_entry=$(mktemp) - cat <<EOF > $daid_entry -[$(date +"%d %b %Y")] $IDMODE-$DAID $PACKAGE - $TYPE update -EOF - - if [ "$CVE" ]; then - printf "\t{%s}\n" "$CVE" >> $daid_entry - fi - - for dist in $CODENAMES; do - version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')" - [ -z "$version" ] || \ - printf "\t[%s] - %s %s\n" "$dist" "$PACKAGE" "$version" >> $daid_entry - done - tmp_list="$(mktemp)" - cat $daid_entry data/$IDMODE/list > $tmp_list - cat $tmp_list > data/$IDMODE/list - rm -f $tmp_list - sed -rn '/^'"$PACKAGE"'(\/\w+)?(\s.*|$)\b/{: next;n;/^\s/b next;d};p' $needed_file > $needed_file.new - mv $needed_file.new $needed_file - echo "$IDMODE text written to ./$IDMODE-$DAID" - if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then - idmode=$(echo "$IDMODE" | tr A-Z a-z) - if [ -n "${DISTS}" ]; then - # in case the advisory applies to several dists, we only look for an - # extra cve file in the first one - DIST="`echo ${DISTS} | sed 's/,.*//'`" - extracvefile=`jq -r ".distributions.${DIST}.maincvefile // empty" data/config.json` - fi - if [ -d .git ]; then - echo "Made the following changes:" - git diff -- data/$IDMODE/list data/CVE/list $extracvefile $needed_file - if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then - warn "did not make any changes to $needed_file - this may indicate duplicate work or misspelled package name" - fi - fi - warn "you need to commit and push the changes to data/$IDMODE/list etc. to actually reserve the $IDMODE-$DAID number and avoid conflicts with others." - if [ -d .git ]; then - echo -n "Do you want to commit and push them now ? [Yn] " - read reply - if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then - git add data/$IDMODE/list data/CVE/list $extracvefile $needed_file - git commit -m "Reserve $IDMODE-$DAID for $PACKAGE" - git push origin master - fi - fi - fi -fi +gen-DSA
\ No newline at end of file diff --git a/bin/rejected-with-info b/bin/rejected-with-info index 8ae56fd01e..0c59069b10 100755..120000 --- a/bin/rejected-with-info +++ b/bin/rejected-with-info @@ -1,86 +1 @@ -#!/bin/sh - -#################### -# Copyright (C) 2011 by Raphael Geissert <geissert@debian.org> -# -# -# This file is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This file is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this file. If not, see <https://www.gnu.org/licenses/>. -#################### - -set -eu - -list=data/CVE/list - -[ -f $list ] || { - echo "error: $list doesn't exist" >&2 - exit 1 -} - -verbose=false -if [ "${1:-}" = "--verbose" ]; then - verbose=true - shift -fi - -regex='*' -if [ -n "${1:-}" ]; then - regex="${1:-}" -fi - -condition=RESERVED -case "$(basename "$0")" in - reserved-*) - condition=RESERVED - ;; - rejected-*) - condition=REJECTED - ;; -esac - -condition_seen=false -wanted=false -cve= -while read line; do - case $line in - CVE-$regex) - cve="$line" - condition_seen=false - wanted=true - ;; - CVE-*) - cve="$line" - condition_seen=false - wanted=false - ;; - *$condition) - condition_seen=true - ;; - *) - if ! $condition_seen || ! $wanted; then - continue - fi - if [ "$cve" ]; then - if $verbose; then - printf "%s\n" "$cve" - else - printf "%s\n" "$(printf '%s' "$cve" | cut -d\ -f1)" - fi - cve= - fi - if $verbose; then - printf "\t%s\n" "$line" - fi - ;; - esac -done < "$list" +reserved-but-public
\ No newline at end of file diff --git a/data/dla-needed.txt b/data/dla-needed.txt index d77c2f0de9..fe58be726c 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -340,7 +340,7 @@ wordpress (guilhem) NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) -- -xrdp (Dominik George) +xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) diff --git a/doc/soriano.txt b/doc/soriano.txt index c6d1653bb2..a3bfe270ba 100644..120000 --- a/doc/soriano.txt +++ b/doc/soriano.txt @@ -1,109 +1 @@ -Tracker setup on soriano.debian.org -=================================== - -(This is internal documentation, in case things need to be fixed. -It is not relevant to day-to-day editing tasks.) - -The code and data is organized via -https://salsa.debian.org/security-tracker-team/ - -Required packages for running the security-tracker are pulled in via the -debian.org-security-tracker.debian.org . A mirror for to the packaging -repository is at https://salsa.debian.org/dsa-team/mirror/debian.org, -which creates the debian.org-security-tracker.debian.org binary package. - -Relevant files and directories ------------------------------- - -The tracker runs under the user ID "sectracker". Most of its files -are stored in the directory /srv/security-tracker.debian.org/website: - - bin/cron invoked by cron once every minute - bin/cron-hourly invoked by cron once every hour - bin/cron-daily invoked by cron once every day - bin/read-and-touch invoked by ~/.procmailrc - bin/start-daemon invoked by cron at reboot - - security-tracker Git checkout - security-tracker/bin/* main entry points, called bin bin/cron - security-tracker/stamps/* files which trigger processing by bin/cron - -~sectracker/.procmailrc invokes bin/read-and-touch to create stamp -files, which are then picked up by bin/cron. This is done to serialize -change events in batches (e.g., commits originated from git). -<sectracker@soriano.debian.org> is subscribed to these mailing lists to -be notified of changes: - - <debian-security-announce@lists.debian.org> - <debian-lts-announce@lists.debian.org> - <debian-security-tracker-commits.alioth-lists.debian.net> - -The crontab of the "sectracker" user is set up such that the scripts -are invoked as specified above. - -~sectracker/.wgetrc contains the path to the bundle of certificate -authorities to verify peers for the data fetched via wget: - -ca-certificate=/etc/ssl/ca-global/ca-certificates.crt - -~sectracker/.curlrc contains a similar setting: - -capath=/etc/ssl/ca-global - -Web server ----------- - -80/TCP is handled by Apache. The Apache configuration is here: - - /srv/security-tracker.debian.org/etc/apache.conf - -mod_proxy is used to forward requests to the actual server which -listens on 127.0.0.1:25648 and is started by a user systemd unit -/srv/security-tracker.debian.org/website/systemd/tracker_service.service - -The user systemd unit needs to be activated and started once at initial -setup of the host (including requesting DSA to activate lingering for -the sectracker user): - -As the sectracker running user: - -systemctl --user enable --now /srv/security-tracker.debian.org/website/systemd/tracker_service.service - -To restart the security tracker service, restart the user systemd unit. - -Logging -------- - -Apache logs are stored in: - - /var/log/apache2/security-tracker.debian.org.access.log - /var/log/apache2/security-tracker.debian.org.error.log - -The Python daemon writes logs to a separate file, too: - - /srv/security-tracker.debian.org/website/log/daemon.log - -This also contains the exception traces. - -debsecan metadata ------------------ - -/srv/security-tracker.debian.org/website/bin/cron contains code which -pushes updates to secure-testing-master, using rsync. - -PTS interface -------------- - -The PTS fetches bug counts from this URL: - - https://security-tracker.debian.org/tracker/data/pts/1 - -Code updates ------------- - -Updates to the Git checkout only affect the directory -/srv/security-tracker.debian.org/website/security-tracker/data. Code -changes need to be applied manually by inspecting the changes done in -the security-tracker.git. - -After that a service restart is needed (see above) +setup.txt
\ No newline at end of file diff --git a/packages/openjdk-7.txt b/packages/openjdk-7.txt index 434f2e4bde..759bbeb985 100644..120000 --- a/packages/openjdk-7.txt +++ b/packages/openjdk-7.txt @@ -1,21 +1 @@ -Build ------ - -We follow the upstream releases in oldstable and stable, i.e. the version in sid -is recompiled. The package scripts automatically create the control and rules -with the appropriate dependencies. - -- You need to download the fixed package from unstable -- Modify the version number to something like 6b31-1.13.3-1~deb7u1 -- Regenerate the control/rules file: (squeeze is also supported) - touch debian/control.in; debian/rules debian/control distrel=wheezy -- Build with "-sa" (since each security update usually updates to a new release) - -Testing -------- - -OpenJDK has an extensive test suite, the result should be compared with previous -build logs. - -Other than that some functionality tests of Java packages in the archive or with -openjdk-6-demos. +openjdk-6.txt
\ No newline at end of file |