Bug#511076: debsecan: Consider upstream version when iterating over other_versions

Wed, 07 Jan 2009 02:38:48 -0800 

Package: debsecan
Version: 0.4.7
Severity: wishlist


When dealing with a suite like etch, debsecan looks for an exact version
match in a vulnerability's other_versions. This means that versions of a
package more recent than the version that fixed a vulnerability are
considered vulnerable.

For example, on an Etch box:

$ debsecan --only-fixed --format=detail --suite=etch
...
CVE-2007-1262 (fixed)
  Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter
...
  installed: squirrelmail 2:1.4.9a-3
             (built from squirrelmail 2:1.4.9a-3)
  fixed in unstable: squirrelmail 2:1.4.10a-1 (source package)
  fixed on branch:   squirrelmail 2:1.4.4-11 (source package)
  fixed on branch:   squirrelmail 2:1.4.9a-2 (source package)
  fix is available for the selected suite (etch)
...

I think this happens because Vulnerability.is_vulnerability returns:

        src_ver not in self.other_versions

I think debsecan should extend VersionAPT to use
apt_pkg.UpstreamVersion(),
so the decision can be modified to return something like:

        If the installed version is the same or greater than any of the
        other_versions that have the same upstream version, then it is
        not vulnerable.

I'd have to learn a bit more Python before doing this myself, so I
wanted to first get someone to sanity check my interpretation of what
debsecan is doing, and my proposed improvement.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.7-xenU
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)

Versions of packages debsecan depends on:
ii  debconf [debconf-2.0]        1.5.11etch2 Debian configuration management sy
ii  python                       2.4.4-2     An interactive high-level object-o
ii  python-apt                   0.6.19      Python interface to libapt-pkg

Versions of packages debsecan recommends:
ii  cron                          3.0pl1-100 management of regular background p
ii  exim4                         4.63-17    metapackage to ease exim MTA (v4) 
ii  exim4-daemon-heavy [mail-tran 4.63-17    exim MTA (v4) daemon with extended

-- debconf information:
* debsecan/source:
* debsecan/mailto: root
* debsecan/report: true
* debsecan/suite: etch



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to