| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 05e8e52378fe07d1e7e75613adfa8adf2fcd8c87.
There seems to be a bug with that commit. In fact for instance
CVE-2024-26652[1] will now show the unfixed versions marked as
vulnerable (unimportant). The entry at the point of this writing was:
CVE-2024-26652 (In the Linux kernel, the following vulnerability has been resolved: n ...)
- linux <unfixed>
[bookworm] - linux <not-affected> (Vulnerable code not present)
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/ba18deddd6d502da71fd6b6143c53042271b82bd (6.8)
Note that the entry is not classified unimprtant.
Another example is CVE-2024-26327[2]. Here the entires up from bookworm
to sid are shown with "vulnerable (unimportant)". This is incorrect as
well as the issue is not unimportant as well.
CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...)
- qemu <unfixed>
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
[buster] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0)
NOTE: https://lore.kernel.org/all/20240214-reuse-v4-5-89ad093a07f4%40daynix.com/
For now revert this commit.
[1]: https://security-tracker.debian.org/tracker/CVE-2024-26652
[2] https://security-tracker.debian.org/tracker/CVE-2024-26327
|
|
|
|
|
| |
They were marked as red and 'vulnerable'. Since they are marked
as unimportant, we should show that to not raise alarms.
|
|
|
|
|
|
| |
Make the copyright statement coplete.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As noted by Thomas Lange, incremented DSA references were as well
pointing to the unversioned DSA page, for instance
https://security-tracker.debian.org/tracker/DSA-5576-2 refers in it
source field https://www.debian.org/security/2023/dsa-5576 which will
redirect to the DSA-5576-1 announce mail.
Add logic to the url_dsa to only refer to the unversioned DSA reference
for the initial revision. Followups, either due to regression or
incomplete security fix will refer to the respective revision.
As potentially in a later change on debian-www side will make the
unversioned DSA entries refer to the latest mailinglist post about a
DSA, a followup commit might actually simplify the logic to always
generate the reference with the respective revision.
Reported-by: Thomas Lange <lange@cs.uni-koeln.de>
Link: https://lists.debian.org/debian-security/2024/01/msg00001.html
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
| |
The NVD files are going away, and it's easier to switch to the
MITRE 'API' than to the new NVD one.
Closes: #1053702
|
|
|
|
| |
present_issue returns true to exit.
|
|
|
|
|
|
|
|
| |
When automatic NFU entry processing is enabled via the -a flag, then the
processing will error out as set_cve_nfu is not known. Move the
definition for set_cve_nfu upwards.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
| |
This was working when the file had already been downloaded,
but was broken if the file was not present in some code reorganization.
|
|\
| |
| |
| |
| |
| |
| | |
Rewrite check-new-issues in Python
Closes #20 and #16
See merge request security-tracker-team/security-tracker!140
|
| |
| |
| |
| |
| | |
If no explicit command is entered, it is assumed to be NFU.
This adds back that compatibility with the Perl version.
|
| |
| |
| |
| |
| |
| | |
This partially reverts commit 7ebe865e to keep compatibility
with the old Perl version. However we keep the newly added
's' command to skip to next issue.
|
| |
| |
| |
| |
| |
| | |
Pre-caching all of them takes quite some time, do it dynamically
instead so that one can start processing issues quickly, since
loading the next issue is not a problem, but loading 250k items is.
|
| | |
|
| |
| |
| |
| |
| | |
We don't want to autocomplete on foo if we're going to add
an autocompletion for 'foo <itp> (bug ...)' instead.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
This should avoid accidentally typing something and having it
inserted as a NOT-FOR-US entry.
|
| |
| |
| |
| |
| |
| |
| | |
While at it, switch to the new MITRE CVE 5 API, as the previous
API will be removed soon.
Fixes #20
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Expand the expression to include lines starting with [0-9a-z]
characters, as package names can start with alphanumeric characers.
Withouth this '7zip' was not found trough fetching
https://security-tracker.debian.org/tracker/status/release/stable .
Reported-by: Moritz Muehlenhoff <jmm@debian.org>
Link: https://www.debian.org/doc/debian-policy/ch-controlfields.html#source
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit e57c301b2c5ad6d664d964aa961e2edfb6c6e4cc.
Reasoning for the revert: At the point mkdir -p "$GIT_HOOKS_DIR" we did
already several operations on ${HOOK}. So ensuring the directory exists
seems likely to be done earlier. What concrete case did lead to this
change?
|
|/ |
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
|
|
|
|
| |
Include in listing the oldstable distribution by enabling the boolean
value "include_oldstable" to true and so enabling the including logic
later on in the script.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
| |
|
|
|
|
|
|
|
| |
This script is superseeded by bin/update-xrefs and
bin/process-cve-records.
Fixes #24
|
|
|
|
|
|
| |
See commit 5eccf413.
Related to #16
|
|
|
|
|
|
|
|
| |
The old pages will eventually go away, so switch to the JSON
API now that there's one, as that should be cleaner than parsing
HTML.
Fixes #23.
|
|
|
|
|
|
| |
We were downloading files from master instead of the suite branch,
so e.g. python2.7 was marked as limited support when it's still
supported in buster.
|
|
|
|
| |
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This restores previous storing of the truncated descriptions in our
CVE list files until we know we can handle all non-ascii characters.
Particular care might be needed on webservice side.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
| |
Only the ones that came from MITRE.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
If a CVE has a PackageAnnotation, it shouldn't get a TODO: check
note.
|
|
|
|
|
| |
Don't only add them when we don't have one, but always update them
in case the description has changed.
|
| |
|
|
|
|
| |
And switch to argparse for argument processing.
|
|
|
|
|
|
|
| |
This replaces the other part of bin/updatelist, but using the
new CVE JSON 5.0 format.
Closes #17, #18.
|
|
|
|
| |
This partly replaces bin/updatelist.
|
|
|
|
| |
This reverts commit 7816c862df2fc979aebce9f072e3cbf3d84c253c.
|
| |
|