| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
reason is that it is more important to triage new potentially severe issues rather than to re-triage issues that have already been triaged once.
|
|
|
|
|
| |
Otherwise we'll check the version in the old DLA against the current
LTS's Sources.
|
| |
|
|
|
|
|
| |
This is much harder to catch when a release becomes EOL, as we
grep for e.g. stretch.
|
|
|
|
|
|
| |
It has little use, is written in perl and not using our current
parsers, and hardcodes stuff making it LTS specific when it
could be more generic.
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
| |
This reverts commit f3e3e34a5ea5ac1e553b3aea371394812199e066.
Emilio did review the merge request so opt for this one and will close
!72.
|
|
|
|
|
|
| |
This reverts commit 0f210141afc8bc4666084987ed9b52ae924b2a58.
Since !72 existed. We will merge that one instread.
|
| |
|
|
|
|
| |
for buster insted of stretch. This will make future LTS front desk person less confused.
|
|
|
|
| |
make it less verbose.
|
| |
|
| |
|
|
|
|
|
| |
If the advisory is for multiple distributions, check for the
extra cve file in the first one.
|
| |
|
|
|
|
|
|
| |
This is really misleading for users as it represents NVD's opinion on the severity of CVEs, but does *not* necessarily reflect the views of the Debian Security Team (and is often misconstrued by users as though it does).
There should probably also be deeper database changes to no longer store this value, but removing it from the website seems like a good (small) place to start.
|
|
|
|
| |
dla-needed
|
|
|
|
|
| |
(re-committed with proper authorship and commit information)
See https://lists.debian.org/debian-lts/2022/04/msg00011.html
|
|
|
|
| |
This reverts commit 3fceb4e21a287674f166442ed8f5e563010710ff.
|
| |
|
| |
|
|
|
|
| |
e.g. better analysis for "node-moment" and "golang-github-prometheus-client-golang"
|
|
|
|
| |
e.g. twig/oldstable
|
|
|
|
|
|
|
| |
Avoid merge-cve-files stumbling over FlagAnnotations like RESERVED and
REJECTED.
Also add code to tidy up the .xpck files that can be generated by the
merge process.
|
|
|
|
|
| |
...if the file config key doesn't exist, otherwise git commit
will fail.
|
|\
| |
| |
| |
| | |
grab-cve-in-fix #1001451
See merge request security-tracker-team/security-tracker!100
|
| |
| |
| |
| |
| |
| | |
Catch and report on possible typos in changes entries to better support
maintainers pre-checking the d.changelog entries before upload - as long
as the .changes file is signed.
|
| |
| |
| |
| | |
Extend linelength to 120 in black.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Support catching errors in the d.changelog
Add support for forcing a specific version
Fix typo in new support in bin/merge-cve-files
Update support in update-vuln to insert new
PackageAnnotations in specific order.
|
| |
| |
| |
| |
| |
| | |
Add support to add a bug number.
Add warnings in --help that each update must be merged before
the same CVE can be updated again.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Add a tool to ease processing of new uploads which fix CVEs
|
| |
| |
| |
| | |
In case we're processing a dist that uses an ExtendFile.
|
| |
| |
| |
| | |
Rather than have every user have to do it.
|
|/
|
|
|
| |
This can happen in ExtendFiles if they only contain dist tags
that are being removed.
|
|
|
|
|
|
|
|
| |
The # prefixed bugnumber format was prefered to pass to the script,
still we have the alternative of the digits only. Just bump the allowed
digits by one now that we reached the 100000's bug.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8795311fe744f6669fdf3da1ae281615aa97450a.
This causes issues e.g. on
https://security-tracker.debian.org/tracker/CVE-2021-20313.
Revert the change for now, but should be re-add once the bug can be
fixed.
|
| |
|
|
|
|
| |
Move the print statements inside the conditional.
|
|
|
|
|
| |
Print the supported commands before entering interactive mode.
Skip if only listing the CVEs
|
| |
|
|
|
|
|
| |
Otherwise we will crash if there's a DLA for a package in one of
those components.
|
|
|
|
|
|
|
|
|
|
| |
When calling gen-DSA without --save, there's no version/release
information, so skip the call there to avoid a crash. In those
situations, gen-DSA will be called once more when the DSA is
ready with the --save argument, and we'll then remove the
appropriate CVE tags.
Closes #9
|
|
|
|
|
|
|
|
|
|
| |
The recent addition of the remove-cve-dist-tags hook in gen-D[SL]A
script removes entries from data/CVE/list when they had a no-dsa (or
it's substates) which are handled in the update.
When gen-DSA script is invoked in DLA mode though, there is a mechanism
to automatically commit the changes (and option to push) but that did
not take into account the changes in data/CVE/list.
|
| |
|
|
|
|
|
|
|
|
|
| |
And do it after we've asked for all the versions. Calling the script
after asking for each version and before asking for the next is
annoying as the script takes some time due to the size of CVE/list.
This way not only do we avoid that wait between user inputs, but we
also avoid calling the script and thus parsing CVE/list multiple times.
|
|
|
|
| |
The release argument is a comma-separated list now.
|