I talked with Wichert and Josip about this and, after finishing it, I would
like the
web team to approve these changes. The main idea is that currently the Security
Team
does not add information that correlates the Debian Security Advisories (DSA)
with
other databases (bugtraq or CVE), however, these sometimes do point to the DSAs.
Linking to Bugtraq is nice beacuse it provides more information for admins that
want
more in-depth informtion.
It also allows a path of verification of vulnerabilities since many
vulnerability
assesment scanners use CVE. An admin could, for example:
- run Nessus against a Debian system
- check the CVE/Bugtraq info regarding vulnerabilities
- check installed update/patches from DSAs and see how many of the previous are
false
positives.
- check the web site and see which DSAs fix which problems.
These idea comes from a previous post to debian-security in which I correlated
DSAs and
Bugtraq in order to do some security-fix analysis. So, I have some data I could
add to
these year's DSA for completeness (so the Security Team does not have to do so
themselves).
Adjointed is a patch to english/template/debian/security.wml. With this patch
.data
files from DSA can add <secids> tags referencing to Bugtraq and CVE and this
information will be included in the web page.
I adjoint:
1.- the patch (speaks for himself)
2.- a patch for dsa-011 to see how these information will be included
3.- dsa-011 compiled with the new patch to see how the information will be
presented.
If everyone think this is fine I will commit this to CVS in a week.
Comments?
Merry Christmas
Javi
PS: The patch could be improved so that it only printed the "More information"
if the
references are included (currently it will print it in any case, but my
knowledge of
WML stops here :(
Index: security.wml
===================================================================
RCS file: /cvs/webwml/webwml/english/template/debian/security.wml,v
retrieving revision 1.88
diff -u -r1.88 security.wml
--- security.wml 2001/09/22 20:27:45 1.88
+++ security.wml 2001/12/26 11:53:52
@@ -232,6 +232,46 @@
<ifeq "<isvulnerable>" "no" "<FONT COLOR=00FF00><no></FONT>">
</define-tag>
+<define-tag bugtraq whitespace=delete>
+ [EN:In the Bugtraq database (at SecurityFocus)::]
+ [ES:En la base de datos de Bugtraq (en SecurityFocus)::]
+</define-tag>
+<define-tag cve whitespace=delete>
+ [EN:In Mitre's CVE dictionary::]
+ [ES:En el diccionario CVE de Mitre::]
+</define-tag>
+
+<perl>
+sub security_references {
+ my $refstr = shift(@_);
+ my $str = "";
+ my $bid = "";
+ my $cve = "";
+ foreach $ref (split(' ',$refstr)) {
+ if ( $ref =~ /BID(\d+)/i ) {
+ $bid .= ", " if $bid ne "";
+ $bid .= "<a
href=\"http://www.securityfocus.com/cgi-bin/vulns-item.pl?id=".$1."\";>BID".$1."</A>";
+ }
+ if ( $ref =~ /CVE(\d+)/i ) {
+ $cve .= ", " if $cve ne "";
+ $cve .="<a
href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=".$1."\";>CVE".$1."</A>";
+ }
+
+ }
+ $str .="<bugtraq> $bid" if $bid ne "";
+ $str .="<cve> $cve" if $cve ne "";
+
+ $str .= ". " if $str ne "";
+ return $str;
+}
+</perl>
+<define-tag secdbinfo>
+ [EN:Security Database references:]
+</define-tag>
+<define-tag secreferences>
+ <:= security_references("<secids>") :>
+</define-tag secreferences>
+
<define-tag fileurl whitespace=delete>
<A href="%0">%0</A><BR>
</define-tag>
@@ -248,6 +288,7 @@
<DT><datereported>: <DD><:= newsdate('<report_date>') :></DD>
<DT><affectedpackages>: <DD><packages></DD>
<DT><vulnerable>: <DD><vulnerability></DD>
+<DT><secdbinfo>:</DT><DD><secreferences></DD>
<DT><formoreinfo>: <DD><moreinfo></DD>
#<ifneq "{#securitybody#}" "" "
<DT><fixedin>: <DD>{#securitybody#}</DD>
Index: dsa-011.data
===================================================================
RCS file: /cvs/webwml/webwml/english/security/2001/dsa-011.data,v
retrieving revision 1.2
diff -r1.2 dsa-011.data
5a6
> <define-tag secids>BID2187</define-tag>
Title: Debian GNU/Linux -- Security Information -- DSA-011-2 mgetty
