| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
|
|
| |
It's just appending the new string annotations to the current
annotations, with special care not to add them if they are
already there (probably needed by grab-cve-in-fix or update-vuln).
|
|
|
|
|
|
| |
We no longer get a tuple, so there's no need to convert it to
a list and return it. The method just merges the annotation into
the received annotations.
|
| |
|
| |
|
| |
|
|
|
|
| |
We can just modify the existing object now.
|
| |
|
|
|
|
|
|
| |
We can just modify the bug instance and add it to the modified
list. The data list is modified too, bug we don't do anything
else with it.
|
| |
|
| |
|
|
|
|
|
| |
Without creating a new object. Also since we're not creating
new objects, there's no need to recreate the data list.
|
|
|
|
|
| |
Replace the bug's annotations instead now that we can modify
the object.
|
|
|
|
|
| |
The notes dict is only going to contain notes for the current
CVE, so we can simply keep and pass the list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If CVE/list has a CVE such as:
CVE-2023-1234
[experimental] - foo 1.0-1
- foo 1.0-2
And we attempt to fix an annotation such as
CVE-2023-1234
[bullseye] - foo 0.1-1+deb11u1
that will crash when we are iterating over the experimental annotation
as next_annotation would be the sid one with release==None, and we would
be comparing internRelease(bullseye) with internRelease(None), which
is not supported.
This is happening with the current data/next-point-update.txt
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
|
| |
This reverts commit 09544dc04cf8e9df4f76f0848897e59a55d58e32.
Better to discuss possible additions via merge requests. In particular
cvedetails.com is not something we owuld want to link. Other might add
value to the additional sources.
|
|
|
|
|
|
|
|
| |
CVE Details, CIRCL, Red Hat CVEs, Ubuntu bugs, Alpine, Arch Linux bugs/CVEs.
Also shorten SUSE bugzilla to bug and use consistent function names.
Inspired-by: the Arch Linux security issue tracker
|
|
|
|
| |
this sub-report rarely triggers action from front-desk and is of lower priority
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar as done for 5eccf413c07f ("tracker_service: Switch to use
cve.org URL for source reference") switch now already to the cve.org URL
for referencing the CVE entries.
A later change will switch to fetch the needed information as well from
the new sources once they get available during the transition from
cve.mitre.org to cve.org.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
|
| |
As we are going to switch with the transition to cve.org feeds switch
now already for referring CVEs in the MITRE database in the source field
of CVE entries.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
reason is that it is more important to triage new potentially severe issues rather than to re-triage issues that have already been triaged once.
|
|
|
|
|
| |
Otherwise we'll check the version in the old DLA against the current
LTS's Sources.
|
| |
|
|
|
|
|
| |
This is much harder to catch when a release becomes EOL, as we
grep for e.g. stretch.
|
|
|
|
|
|
| |
It has little use, is written in perl and not using our current
parsers, and hardcodes stuff making it LTS specific when it
could be more generic.
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
| |
This reverts commit f3e3e34a5ea5ac1e553b3aea371394812199e066.
Emilio did review the merge request so opt for this one and will close
!72.
|
|
|
|
|
|
| |
This reverts commit 0f210141afc8bc4666084987ed9b52ae924b2a58.
Since !72 existed. We will merge that one instread.
|
| |
|
|
|
|
| |
for buster insted of stretch. This will make future LTS front desk person less confused.
|
|
|
|
| |
make it less verbose.
|
| |
|
| |
|
|
|
|
|
| |
If the advisory is for multiple distributions, check for the
extra cve file in the first one.
|
| |
|
|
|
|
|
|
| |
This is really misleading for users as it represents NVD's opinion on the severity of CVEs, but does *not* necessarily reflect the views of the Debian Security Team (and is often misconstrued by users as though it does).
There should probably also be deeper database changes to no longer store this value, but removing it from the website seems like a good (small) place to start.
|
|
|
|
| |
dla-needed
|
|
|
|
|
| |
(re-committed with proper authorship and commit information)
See https://lists.debian.org/debian-lts/2022/04/msg00011.html
|
|
|
|
| |
This reverts commit 3fceb4e21a287674f166442ed8f5e563010710ff.
|
| |
|
| |
|
|
|
|
| |
e.g. better analysis for "node-moment" and "golang-github-prometheus-client-golang"
|
|
|
|
| |
e.g. twig/oldstable
|
|
|
|
|
|
|
| |
Avoid merge-cve-files stumbling over FlagAnnotations like RESERVED and
REJECTED.
Also add code to tidy up the .xpck files that can be generated by the
merge process.
|
|
|
|
|
| |
...if the file config key doesn't exist, otherwise git commit
will fail.
|
|\
| |
| |
| |
| | |
grab-cve-in-fix #1001451
See merge request security-tracker-team/security-tracker!100
|
| |
| |
| |
| |
| |
| | |
Catch and report on possible typos in changes entries to better support
maintainers pre-checking the d.changelog entries before upload - as long
as the .changes file is signed.
|
| |
| |
| |
| | |
Extend linelength to 120 in black.
|