Hi,
On the Debian Web Pages TODO List, there is the following section:
security
Find the "moreinfo" entries for older years that contain mentions
of lists-archives instead of including text from it or even linking
to it, and correct it.
There are many advisories in 1997 and early 1998 that lack even the
basic extra information -- find it and document it. Somehow. :)
Change the pages to have 'fixed in' info in a tag instead of page body,
so that we can check for that tag in the template and not display
'Fixed in:' if it's empty.
I would like to work on that task, and have collected information
related to most of the DSAs on the "undated" page.
Questions on what to do next:
1) Should the Security team be notified of changes to the DSAs?
2) It seems difficult, sometimes, to be positive that the "new"
information is exactly what the original DSA was issued for.
My method so far has been:
a) Google, using; <keywords from the DSA> [1997 1998].
b) Scan various security archives.
c) Occasionally look in changelogs (generally didn't help).
d) Pick what seems to be the most appropriate information.
Comments, suggestions?
3) Below are three test patches. Comments, suggestions?
## Allows the "fixed in" data to be displayed (for Buzz/Rex).
## Affects several DSAs in the 1998, 1997, and undated directories.
## This template isn't being used for current DSAs, last used in 1998.
--- template/debian/fixes_link.wml.old Fri Nov 1 06:16:30 2002
+++ template/debian/fixes_link.wml.new Sat Jul 19 17:26:53 2003
@@ -16,6 +16,12 @@
<define-tag notapplicable whitespace=delete>
<gettext>N/A</gettext>
</define-tag>
+<define-tag in1_1 whitespace=delete>
+ <gettext>in release 1.1</gettext>
+</define-tag>
+<define-tag in1_2 whitespace=delete>
+ <gettext>in release 1.2</gettext>
+</define-tag>
<define-tag in1_3 whitespace=delete>
<gettext>in release 1.3</gettext>
</define-tag>
@@ -41,6 +47,14 @@
if ( $release eq "not" )
{
$str = "<notneeded/>";
+ }
+ elsif ( $release eq "buzz" )
+ {
+ $str = "$arch - (<in1_1/>) $version";
+ }
+ elsif ( $release eq "rex" )
+ {
+ $str = "$arch - (<in1_2/>) $version";
}
elsif ( $release eq "bo" )
{
## This change allows "Vunerable" to be "Yes" and "Security database
## reference" to be displayed.
--- security/undated/1ssh.data.old Thu Apr 19 09:52:11 2001
+++ security/undated/1ssh.data.new Sat Jul 19 17:37:41 2003
@@ -1,7 +1,8 @@
<define-tag pagetitle>ssh</define-tag>
<define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1998-03</define-tag>
<define-tag packages>ssh</define-tag>
-<define-tag isvulnerable>Yes</define-tag>
+<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>Yes</define-tag>
#use wml::debian::security
## Changes to 1ssh.wml to add new data.
## Note, there is nothing that absolutely insures that the new
## information is related to the original DSA.
--- security/undated/1ssh.wml.old Sun Jul 22 07:46:50 2001
+++ security/undated/1ssh.wml.new Sat Jul 19 16:39:20 2003
@@ -3,6 +3,17 @@
ssh allowed non-privileged users to forward privileged ports.
<p>Fixes: ssh 1.2.21-1 or later
+
+<p>The information below was added in July 2003. Please report
+additions or corrections to debian-www@lists.debian.org:
+<li>Insufficent permission checking may allow a SSH client user, to access
+remote accounts belonging to the ssh-agent user.
+<li>SSH versions 1.2.17 thru 1.2.21 are vulnerable. SSH versions prior to
+1.2.17 are vunerable to a different, though similar attack.
+<li>Reference to CA-1998-03 was added.
+<li>Changed "Vunerable" to show "Yes".
+<li>Data is now displayed for "Fixed in".
+
</define-tag>
# do not modify the following line
Doug Jensen
