summaryrefslogtreecommitdiffstats
path: root/bin
Commit message (Collapse)AuthorAgeFilesLines
* Revert "tracker_service: make unimportant issues non-red"Salvatore Bonaccorso2024-03-311-14/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 05e8e52378fe07d1e7e75613adfa8adf2fcd8c87. There seems to be a bug with that commit. In fact for instance CVE-2024-26652[1] will now show the unfixed versions marked as vulnerable (unimportant). The entry at the point of this writing was: CVE-2024-26652 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux <unfixed> [bookworm] - linux <not-affected> (Vulnerable code not present) [bullseye] - linux <not-affected> (Vulnerable code not present) [buster] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/ba18deddd6d502da71fd6b6143c53042271b82bd (6.8) Note that the entry is not classified unimprtant. Another example is CVE-2024-26327[2]. Here the entires up from bookworm to sid are shown with "vulnerable (unimportant)". This is incorrect as well as the issue is not unimportant as well. CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu <unfixed> [bookworm] - qemu <no-dsa> (Minor issue) [bullseye] - qemu <not-affected> (Vulnerable code introduced later) [buster] - qemu <not-affected> (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/ For now revert this commit. [1]: https://security-tracker.debian.org/tracker/CVE-2024-26652 [2] https://security-tracker.debian.org/tracker/CVE-2024-26327
* tracker_service: make unimportant issues non-redEmilio Pozuelo Monfort2024-03-211-2/+14
| | | | | They were marked as red and 'vulnerable'. Since they are marked as unimportant, we should show that to not raise alarms.
* check-new-issues: Fix comment header for copyrightSalvatore Bonaccorso2024-01-251-0/+4
| | | | | | Make the copyright statement coplete. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* tracker_service: Fix generation of references for followup DSAsSalvatore Bonaccorso2024-01-061-4/+8
| | | | | | | | | | | | | | | | | | | | | As noted by Thomas Lange, incremented DSA references were as well pointing to the unversioned DSA page, for instance https://security-tracker.debian.org/tracker/DSA-5576-2 refers in it source field https://www.debian.org/security/2023/dsa-5576 which will redirect to the DSA-5576-1 announce mail. Add logic to the url_dsa to only refer to the unversioned DSA reference for the initial revision. Followups, either due to regression or incomplete security fix will refer to the respective revision. As potentially in a later change on debian-www side will make the unversioned DSA entries refer to the latest mailinglist post about a DSA, a followup commit might actually simplify the logic to always generate the reference with the respective revision. Reported-by: Thomas Lange <lange@cs.uni-koeln.de> Link: https://lists.debian.org/debian-security/2024/01/msg00001.html Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* Add new script to fetch CVE descriptions from MITREEmilio Pozuelo Monfort2023-12-121-0/+128
| | | | | | | The NVD files are going away, and it's easier to switch to the MITRE 'API' than to the new NVD one. Closes: #1053702
* check-new-issues: don't exit when auto-setting nfuEmilio Pozuelo Monfort2023-10-261-1/+1
| | | | present_issue returns true to exit.
* check-new-issues: Define set_cve_nfu before using it for automatic processingSalvatore Bonaccorso2023-10-061-8/+8
| | | | | | | | When automatic NFU entry processing is enabled via the -a flag, then the processing will error out as set_cve_nfu is not known. Move the definition for set_cve_nfu upwards. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* check-new-issues: read the zip file after downloading itEmilio Pozuelo Monfort2023-10-051-4/+4
| | | | | This was working when the file had already been downloaded, but was broken if the file was not present in some code reorganization.
* Merge branch 'check-new-issues-py-cve5' into 'master'Emilio Pozuelo Monfort2023-10-051-725/+785
|\ | | | | | | | | | | | | Rewrite check-new-issues in Python Closes #20 and #16 See merge request security-tracker-team/security-tracker!140
| * bin/check-new-issues: add back fallback to NFU commandEmilio Pozuelo Monfort2023-10-051-2/+6
| | | | | | | | | | If no explicit command is entered, it is assumed to be NFU. This adds back that compatibility with the Perl version.
| * check-new-issues: keep blank line to skip to next issueEmilio Pozuelo Monfort2023-10-051-2/+3
| | | | | | | | | | | | This partially reverts commit 7ebe865e to keep compatibility with the old Perl version. However we keep the newly added 's' command to skip to next issue.
| * check-new-issues: load CVE 5 JSON files dynamicallyEmilio Pozuelo Monfort2023-07-111-18/+36
| | | | | | | | | | | | Pre-caching all of them takes quite some time, do it dynamically instead so that one can start processing issues quickly, since loading the next issue is not a problem, but loading 250k items is.
| * check-new-issues: improve entry formattingEmilio Pozuelo Monfort2023-06-271-0/+4
| |
| * check-new-issues: don't mark itp packages as seenEmilio Pozuelo Monfort2023-06-271-0/+3
| | | | | | | | | | We don't want to autocomplete on foo if we're going to add an autocompletion for 'foo <itp> (bug ...)' instead.
| * check-new-issues: fix performance issue with wnpp autocompletionEmilio Pozuelo Monfort2023-06-271-1/+2
| |
| * check-new-issues: autocomplete r (report) commandEmilio Pozuelo Monfort2023-06-271-2/+4
| |
| * check-new-issues: better autocompletion for '- pkg ...' commandEmilio Pozuelo Monfort2023-06-271-1/+4
| |
| * check-new-issues: move removed packages to the data fileEmilio Pozuelo Monfort2023-06-271-5/+0
| |
| * check-new-issues: use '<cmd> <arg>' syntaxEmilio Pozuelo Monfort2023-06-271-16/+16
| |
| * check-new-issues: add a skip commandEmilio Pozuelo Monfort2023-06-271-2/+5
| |
| * check-new-issues: add an explicit command for NOT-FOR-USEmilio Pozuelo Monfort2023-06-271-5/+8
| | | | | | | | | | This should avoid accidentally typing something and having it inserted as a NOT-FOR-US entry.
| * Rewrite check-new-issues in PythonEmilio Pozuelo Monfort2023-06-271-716/+739
| | | | | | | | | | | | | | While at it, switch to the new MITRE CVE 5 API, as the previous API will be removed soon. Fixes #20
* | bin/add-dsa-needed.sh: Package names can start with alphanumeric charactersSalvatore Bonaccorso2023-09-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Expand the expression to include lines starting with [0-9a-z] characters, as package names can start with alphanumeric characers. Withouth this '7zip' was not found trough fetching https://security-tracker.debian.org/tracker/status/release/stable . Reported-by: Moritz Muehlenhoff <jmm@debian.org> Link: https://www.debian.org/doc/debian-policy/ch-controlfields.html#source Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* | Revert "setup-repo: ensure hooks directory exists"Salvatore Bonaccorso2023-07-081-1/+0
| | | | | | | | | | | | | | | | | | This reverts commit e57c301b2c5ad6d664d964aa961e2edfb6c6e4cc. Reasoning for the revert: At the point mkdir -p "$GIT_HOOKS_DIR" we did already several operations on ${HOOK}. So ensuring the directory exists seems likely to be done earlier. What concrete case did lead to this change?
* | setup-repo: ensure hooks directory existsSean Whitton2023-07-071-0/+1
|/
* tracker_service.py: Remove non-functional Mageia advisories searchSalvatore Bonaccorso2023-06-151-9/+0
| | | | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* tracker_service.py: Remove nonfunctional Metasploit searchSalvatore Bonaccorso2023-06-151-9/+0
| | | | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* tracker_service.py: Remove non-functional EDB source searchSalvatore Bonaccorso2023-06-151-10/+0
| | | | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* tracker_service.py: Remove nonfunctional bugtraq sourceSalvatore Bonaccorso2023-06-151-9/+0
| | | | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* List packages from oldstable and stable for dsa-needed listSalvatore Bonaccorso2023-06-081-1/+1
| | | | | | | | Include in listing the oldstable distribution by enabling the boolean value "include_oldstable" to true and so enabling the including logic later on in the script. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* tracker_service: use www.cve.orgEmilio Pozuelo Monfort2023-06-071-1/+1
|
* Remove bin/updatelistEmilio Pozuelo Monfort2023-06-072-186/+0
| | | | | | | This script is superseeded by bin/update-xrefs and bin/process-cve-records. Fixes #24
* tracker_service: link to cve.orgEmilio Pozuelo Monfort2023-06-071-1/+1
| | | | | | See commit 5eccf413. Related to #16
* report-vuln: get CVE descriptions from CVE JSON APIEmilio Pozuelo Monfort2023-06-071-52/+37
| | | | | | | | The old pages will eventually go away, so switch to the JSON API now that there's one, as that should be cleaner than parsing HTML. Fixes #23.
* lts-cve-triage: use correct debian-security-support branchEmilio Pozuelo Monfort2023-05-302-6/+7
| | | | | | We were downloading files from master instead of the suite branch, so e.g. python2.7 was marked as limited support when it's still supported in buster.
* update-db: Allow to enable verbose logging of DB update operationsSalvatore Bonaccorso2023-05-271-2/+10
| | | | Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* Filter list for "unreported" view. Fix #987283Anton Gladky2023-05-261-2/+11
|
* process-cve-records: Workaround descriptions with non-ascii charactersSalvatore Bonaccorso2023-04-281-1/+3
| | | | | | | | | This restores previous storing of the truncated descriptions in our CVE list files until we know we can handle all non-ascii characters. Particular care might be needed on webservice side. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* process-cve-records: don't remove our own descriptionsEmilio Pozuelo Monfort2023-04-281-1/+2
| | | | Only the ones that came from MITRE.
* process-cve-records: improve description parsingEmilio Pozuelo Monfort2023-04-281-2/+11
|
* process-cve-records: process all CVEs, not just new onesEmilio Pozuelo Monfort2023-04-281-1/+1
|
* process-cve-records: clear descriptions for reserved or rejected CVEsEmilio Pozuelo Monfort2023-04-281-1/+3
|
* process-cve-records: fix detection of empty CVEsEmilio Pozuelo Monfort2023-04-281-1/+2
| | | | | If a CVE has a PackageAnnotation, it shouldn't get a TODO: check note.
* process-cve-records: update descriptionsEmilio Pozuelo Monfort2023-04-281-3/+2
| | | | | Don't only add them when we don't have one, but always update them in case the description has changed.
* update-xrefs: add --work-dir argumentEmilio Pozuelo Monfort2023-04-281-4/+11
|
* process-cve-records: add --work-dir argumentEmilio Pozuelo Monfort2023-04-281-15/+17
| | | | And switch to argparse for argument processing.
* process-cve-records: new script to parse MITRE CVE 5.0 recordsEmilio Pozuelo Monfort2023-04-271-0/+155
| | | | | | | This replaces the other part of bin/updatelist, but using the new CVE JSON 5.0 format. Closes #17, #18.
* update-xrefs: new script to update data/CVE/list XrefsEmilio Pozuelo Monfort2023-04-271-0/+93
| | | | This partly replaces bin/updatelist.
* Revert "Claim xrdp"Dominik George2023-03-272-527/+2
| | | | This reverts commit 7816c862df2fc979aebce9f072e3cbf3d84c253c.
* Claim xrdpDominik George2023-03-272-2/+527
|

© 2014-2024 Faster IT GmbH | imprint | privacy policy