This post is mainly addressed to Matt and/or Javier, but all should
feel free to comment, if they choose to.
On the Debian Web Pages TODO List, there is a security section
that requests additional information for older advisories. Some
of the oldest are on a page labeled 'undated'. I have collected
references that could be used to update those advisories.
Sample patches for one of the advisories were sent to the debian-www
list, along with some questions. The responses were very helpful,
including the one below:
# Excerpt from email exchanged on debian-www:
On Mon, Jul 21, 2003 at 11:15:14AM +0200, Gerfried Fuchs wrote:
>
> About your initial question if the security team should be informed
> of
> the changes, I guess Josip misunderstood it (or I do ,). You don't
> need
> to inform the security team about changes that doesn't change the core
> text of the advisory. If it's about changes to the infrastructure of
> the files (like, links back to the archive or cross references) you
> don't need to inform them. If you on the other hand like to change
> texting which might change the meaning of the text it would rather be
> a
> good idea to ask them.
>
> Uhm, on second thought, I guess Matt and/or Javier are doing a
> database
> of crossreferences to vulnerability databases, they might be
> interested
> in your changes in that part, too.
>
Matt and/or Javier do you have any comments or suggestions? Do you want
to be notified and/or approve the changes? If yes, where would you like
the notification sent?
# Below is text of a proposed ssh page.
## Note, there is nothing that absolutely insures that the new
## information is related to the original DSA.
# cc = Is in original wml file, but not displayed on the web page.
# ++ = proposed new data.
# The 'cc' and '++' won't be in the final version.
Date Reported:
undated
Affected Packages:
ssh
Vulnerable:
cc Yes
Security database references:
++ CERT's vulnerabilities, advisories and incident notes:
CA-1998-03.
More information:
ssh allowed non-privileged users to forward privileged ports.
Fixes: ssh 1.2.21-1 or later
++ The information below was added in July 2003:
++ * Insufficient permission checking may allow a SSH client user, to
++ access remote accounts belonging to the ssh-agent user.
++ * SSH versions 1.2.17 thru 1.2.21 are vulnerable. SSH versions prior
++ to 1.2.17 are vulnerable to a different, though similar attack.
Fixed in:
cc Intel - (in release 1.1) 1.2.21-1
#End of sample.
The similarities between old and new information in this case are:
- Version numbers correspond.
- The date of CA-1998-03 is in the correct time frame.
- CA-1998-03 contains text that is similar to the original DSA.
Changes are welcome. For example :), the ...July 2003 line was intended
to preserve the integrity of the original DSA, but it isn't because the
changes appear in different sections. I intend to remove that line.
Doug Jensen
