| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
buster-backports has been archived.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 63a9aa4515f4335203346034dcf842b067ab0fcc.
Samuel Henrique reported on IRC to get a message "release note must
follow its package note" when trying to commit
diff --git c/data/CVE/list i/data/CVE/list
index 5f829a4c..a3741dd6 100644
--- c/data/CVE/list
+++ i/data/CVE/list
@@ -92086,10 +92086,12 @@ CVE-2022-28702 (Incorrect Default Permissions vulnerability in ABB e-Design allo
CVE-2022-1615 (In Samba, GnuTLS gnutls_rnd() can fail and give predictable random val ...)
[experimental] - samba 2:4.17.0+dfsg-1
- samba 2:4.16.5+dfsg-2 (bug #1021024)
+ [buster] - sambda <not-affected> (Vulnerable code introduced later)
[bullseye] - samba <postponed> (Minor issue)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15103
NOTE: https://gitlab.com/samba-team/samba/-/merge_requests/2644
- NOTE: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (samba-4.17.0rc1)
+ NOTE: Introduced by: https://gitlab.com/samba-team/samba/-/commit/664eed2e926f8f572b81e6d7c8e09b7ccbafb908 (samba-4.12.0)
+ NOTE: Fixed by: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (samba-4.17.0rc1)
CVE-2022-1614 (The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visi ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1613 (The Restricted Site Access WordPress plugin before 7.3.2 prioritizes g ...)
In this case the error comes because of the release "[buster] - sambda
..." does not follow a package note "- sambda ...", which hints this
time to a possible typo in the source package name. If the source
package name would have been correct, the syntax check would have
indicated the wrong order next.
But this is not generally only a hint to a typo. Samewise the message
would come if two source package enties are covered and a release note
is put before the actual package note, e.g.
- linux ...
[buster] - amd64-microcode ...
- amd64-microcode
Revert the change as the hint is given to check if something is wrong
adding the release note. It *might* be a typo in the source package
note, but it might be as well a release note which is missplaced but
valid.
That said, this hints at that the notation of 'package note' and
'release note' is not sufficiently well explained and might need some
clarification in the message from the syntax check or documentation.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
The parser is not read-only but has write support, so it makes more
sense to have mutable classes so that API users can modify them
as appopriate rather than going through hoops to clone objects
in order to modify something.
|
| |
|
| |
|
| |
|
|
|
|
| |
That is no longer supported, see commit 8f844bff.
|
|
|
|
| |
This was changed in 727ff2f44 but the test was not updated.
|
| |
|
|
|
|
|
|
|
|
|
| |
For suites older than bookworm, fix section to main, contrib and
non-free. Starting in bookworm an additonal archive section
non-free-firmware will be present.
Link: https://bugs.debian.org/1030321
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
| |
|
|
|
|
|
|
|
| |
For releases with a component (e.g. buster/non-free),
releasepart_to_number was not spliting the component. This
was causing bad sorting on CVE pages for packages in contrib
or non-free.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
8846bec76339 ("Fix CVE10k problem for CVE with more than 4 numbers")
introduced the initialization of schema 22 and introducing the machinery
to allow the tracker.d.o support reading next point release information.
On updates from already initialized databases with previous schemas this
worked fine, but as Neil Williams reported, this fails when starting
with a new instance.
Link: https://lists.debian.org/debian-security-tracker/2021/05/msg00024.html
Fixes: 8846bec76339 ("Fix CVE10k problem for CVE with more than 4 numbers")
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
The one from cgi has been removed in Python 3.8.
|
|
|
|
|
|
|
| |
It was an alias for the latter, and has finally been removed in
Python 3.9.
Likewise for decodestring.
|
| |
|
|\
| |
| |
| |
| |
| | |
tracker_service: display CVE entries using natural sort order
See merge request security-tracker-team/security-tracker!76
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
to avoid annoying confusions with the default incorrect sort due to
e.g. CVE-2021-3392 considered higher than CVE-2021-20203
Approach:
- use 'COLLATE natorder' [1]; however, we'd have to leave the bug
unfixed for a few years, until this feature is merged and packaged
in stable sqlite3
[1] https://sqlite.org/forum/forumpost/e4dc6f3331
- sort at the Python level; AFAICS this breaks the current code global
logic that delegates the sort to the database, so we'd need to
revamp the Python code or introduce ad-hoc logic
- use a size-bounded sort at the SQL level (current patch) using a
reasonable max size (10 digits / 32-bits), until 1) is available.
(variable-length is feasible but impacts readability and performance)
|
|/
|
|
|
|
|
| |
It had no consequences in security-tracker: the
next-oldstable-point-update.txt file is empty and the
next-point-update.txt CVEs are not used yet for what I can see via this
code path.
|
|
|
|
|
|
| |
The version is tracked in package_version, here we have a <tag>
assigned to the kind variable of the PackageAnnotation, so let's
call it kind to make it less confusing.
|
|
|
|
| |
The signature no longer includes a bugs list.
|
|
|
|
| |
That may have been used once upon a time, but it's not used anymore.
|
| |
|
|
|
|
| |
We no longer support Python 2.
|
|
|
|
|
| |
This change and the previous ones based on work by Brian with
additional fixes and adaptations by me.
|
|
|
|
|
| |
In some cases we are intentionally passing versions as kinds or
kinds as versions, and making it explicit makes it less confusing.
|
|
|
|
| |
In order to support extended CVE files.
|
|
|
|
|
|
|
|
|
| |
We need the original name (basically the year) in order to write it
back later. Besides the function was taking the line number rather
than a hash of the description, so it was buggy anyway.
If something needs the unique name at some point, we can add it in
an additional field.
|
|
|
|
|
| |
Take them as they come, as our sorting is different than the one in
the file.
|
|
|
|
| |
We are no longer concatenating tuples.
|
| |
|
|
|
|
| |
We need them in order to write the file back.
|
|
|
|
|
| |
The rename happened too long ago, and VersionCompare is long gone.
We assume it exists in security_db anyway.
|
| |
|
|
|
|
| |
Otherwise we'll run into an endless loop under Python 3.
|
| |
|
|
|
|
| |
Release files no longer contain them.
|
| |
|
|
|
|
| |
The tempfile is opened in binary mode.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://bugs.debian.org/931533
|