On Wed, 22 Sep 2021 15:34:32 -0400 "Roberto C. Sanchez" <[email protected]> wrote: > Package: security-tracker > Severity: normal > > > It appears that when parsing data/CVE/list and a URL is encountered, > that extraneous characters can end up included in the link, which > can result in the actual link not reflecting the intended link. For > example, https://security-tracker.debian.org/tracker/CVE-2020-13230 > links to https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch > but incorrectly includes the closing parenthsis that denotes the end of > the note text as part of the link.
This looks like it actually needs an improvement to the syntax of that CVE.
The URL would typically be part of a NOTE: line, not part of the comment.
e.g. current:
CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not
immediately ...)
- cacti 1.2.11+ds1-1
[buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue, Partial patch
https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch)
NOTE: https://github.com/Cacti/cacti/issues/3343
Proposed:
CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not
immediately ...)
- cacti 1.2.11+ds1-1
[buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue, Partial patch)
NOTE: https://github.com/Cacti/cacti/issues/3343
NOTE: https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch
Other CVEs with URLs in the comment include:
CVE-2017-0381
CVE-2018-16869
CVE-2021-32686
CVE-2020-28491
CVE-2008-5161
All other CVEs that reference a URL do so via a NOTE: entry.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
pgpbWdNerQLlY.pgp
Description: OpenPGP digital signature
