Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
95220151 by Salvatore Bonaccorso at 2024-03-31T23:02:21+02:00
Revert "tracker_service: make unimportant issues non-red"
This reverts commit 05e8e52378fe07d1e7e75613adfa8adf2fcd8c87.
There seems to be a bug with that commit. In fact for instance
CVE-2024-26652[1] will now show the unfixed versions marked as
vulnerable (unimportant). The entry at the point of this writing was:
CVE-2024-26652 (In the Linux kernel, the following vulnerability has been
resolved: n ...)
- linux <unfixed>
[bookworm] - linux <not-affected> (Vulnerable code not present)
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE:
https://git.kernel.org/linus/ba18deddd6d502da71fd6b6143c53042271b82bd (6.8)
Note that the entry is not classified unimprtant.
Another example is CVE-2024-26327[2]. Here the entires up from bookworm
to sid are shown with "vulnerable (unimportant)". This is incorrect as
well as the issue is not unimportant as well.
CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1.
register_vfs in h ...)
- qemu <unfixed>
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <not-affected> (Vulnerable code introduced
later)
[buster] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by:
https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6
(v7.0.0-rc0)
NOTE:
https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/
For now revert this commit.
[1]: https://security-tracker.debian.org/tracker/CVE-2024-26652
[2] https://security-tracker.debian.org/tracker/CVE-2024-26327
- - - - -
1 changed file:
- bin/tracker_service.py
Changes:
=====================================
bin/tracker_service.py
=====================================
@@ -439,14 +439,6 @@ data source.""")],
page.append(make_table(gen_header()))
- def is_unimportant(bug, package):
- if bug.notes:
- for note in bug.notes:
- if note.package == package and str(note.urgency) ==
'unimportant':
- return True
-
- return False
-
if bug.notes:
def gen_source():
@@ -461,12 +453,8 @@ data source.""")],
self.make_source_package_ref(url, package),
" (", self.make_pts_ref(url, package, 'PTS'), ")")
if vulnerable == 1:
- if is_unimportant(bug, old_pkg):
- vuln = self.make_yellow('vulnerable (unimportant)')
- version = self.make_yellow(version)
- else:
- vuln = self.make_red('vulnerable')
- version = self.make_red(version)
+ vuln = self.make_red('vulnerable')
+ version = self.make_red(version)
elif vulnerable == 2:
vuln = self.make_purple('undetermined')
version = self.make_purple(version)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/952201519ea7bd432f81a11cdfa5960f5c623139
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/952201519ea7bd432f81a11cdfa5960f5c623139
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
