1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
#!/usr/bin/perl -w
# Compares the testing_status tables from two versions of security.db.
# To be accurate, both versions must have been created with the same
# revision of the tracker data files (but with different package files).
use strict;
use DBI;
my $TESTING="wheezy";
my $MAILTO='secure-testing-team@lists.alioth.debian.org';
my $MAILFROM='sf@sfritsch.de';
my @d = localtime(time);
my $MAILDATE = sprintf("%4d-%02d-%02d", $d[5] + 1900, $d[4] + 1, $d[3]);
if (@ARGV != 2) {
die "usage:\nlist-updates old.db new.deb\n";
}
my $migrated = {};
my $dtsa = {};
my $removed = {};
my $versions = {};
my $mail_text = "";
my $old_dbh = DBI->connect("dbi:SQLite:dbname=$ARGV[0]","","", { RaiseError => 1 });
my $new_dbh = DBI->connect("dbi:SQLite:dbname=$ARGV[1]","","", { RaiseError => 1 });
my $sth_version = $new_dbh->prepare("SELECT version, archive FROM source_packages WHERE name = ? AND release = '$TESTING' AND subrelease = ? ");
my $sth_desc = $new_dbh->prepare("SELECT description FROM bugs WHERE name = ?");
my $sth_debbug = $new_dbh->prepare("SELECT d.bug FROM package_notes p JOIN debian_bugs d ON d.note = p.id WHERE bug_name = ? AND package = ? AND release = ''");
my $old_issues = get_issues($old_dbh);
my $new_issues = get_issues($new_dbh);
foreach my $package ( sort keys %{$old_issues} ) {
$versions->{$package} = package_version($package); # undef if package does not exist in $new_dbh
foreach my $issue ( sort keys %{$old_issues->{$package}} ) {
my $old = $old_issues->{$package}->{$issue};
my $new = $new_issues->{$package}->{$issue};
if ( $new ) {
if ( $old->{testing_security_fixed} == 0
and $new->{testing_security_fixed} == 1 )
{
push @{$dtsa->{$package}}, $issue;
$versions->{$package} = package_version($package, "security");
}
}
else {
if ( ! defined $versions->{$package} ) {
push @{$removed->{$package}}, $issue;
}
elsif ( $old->{testing_security_fixed} != 1 ) {
push @{$migrated->{$package}}, $issue;
}
}
}
}
print_hash($dtsa, "DTSA", <<"EOF");
The following issues have been fixed by uploads to testing-security:
EOF
print_hash($migrated, "Migrated from unstable");
print_hash($removed, "Removed from testing", <<"EOF");
The following issues have been "fixed" by removing the (source) packages from
testing. This probably means that you have to manually uninstall the
corresponding binary packages to fix the issues.
It can also mean that the packages have been replaced, or that they have been
temporarily removed by the release team to make transitions from unstable
easier.
EOF
if ($mail_text) {
send_mail();
print "mail sent.\n";
}
else {
print "nothing fixed, no mail sent.\n";
}
# workaround DBD::Sqlite bug
undef $sth_version;
undef $sth_desc;
undef $sth_debbug;
########### end MAIN #############
sub print_mail {
$mail_text .= join('', @_);
}
sub print_both {
print_mail(@_);
print @_;
}
sub print_hash {
my $hash = shift;
my $name = shift;
my $desc = shift;
return if ! scalar keys %{$hash};
print_both("$name:\n");
print_both('=' x ( length($name) + 1) , "\n");
print_mail("$desc") if $desc;
foreach my $p (sort keys %{$hash}) {
my $version = "";
if ( $versions->{$p} ) {
$version = " $versions->{$p}";
}
print_both("$p" . $version . ":\n");
# sort DTSAs first
my @issues = sort grep(/^DTSA/, @{$hash->{$p}});
push @issues, sort grep(!/^DTSA/, @{$hash->{$p}});
my %seen_dbug;
foreach my $i (@issues) {
print_both(issue2string($i));
# print debian bug no more than once per package
my @dbugs = issue2debbug($i, $p);
foreach my $dbug (@dbugs) {
if ( ! $seen_dbug{$dbug} ) {
$seen_dbug{$dbug} = 1;
print_both(" "x15 . "https://bugs.debian.org/$dbug\n");
}
}
}
print_both("\n");
}
}
sub get_issues {
my $dbh = shift;
return $dbh->selectall_hashref(
'SELECT package, bug, unstable_vulnerable, testing_security_fixed FROM testing_status',
[ 'package', 'bug' ] );
}
sub package_version {
my $package = shift;
my $subrelease = shift || "";
$sth_version->execute($package, $subrelease);
my $result = $sth_version->fetchall_arrayref();
if (scalar @{$result} > 1) {
return "";
}
if (scalar @{$result} == 0) {
return undef;
}
my $archive = "";
if ($result->[0]->[1] ne 'main') {
$archive = " ($result->[0]->[1])";
}
return $result->[0]->[0] . $archive;
}
sub issue2string {
my $issue = shift;
my $url = "";
my $desc = "";
$sth_desc->execute($issue);
my $result = $sth_desc->fetchall_arrayref();
$desc = $result->[0]->[0];
if ( $issue =~ /^CVE-\d{4}-\d{4,}/ ) {
$url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=" . $issue ;
return "$issue: $url\n";
}
elsif ( $issue =~ /^DTSA-/ ) {
return "$issue : $desc\n";
}
else {
return "<no CVE yet> : $desc\n";
}
}
sub issue2debbug {
my ($issue, $package) = @_;
$sth_debbug->execute($issue, $package);
my $rows = $sth_debbug->fetchall_arrayref();
my @bugs = map { $_->[0] } @{$rows};
return @bugs;
}
sub send_mail {
open(my $sendmail, "| /usr/sbin/sendmail -bm -ti") or die "could not invoke sendmail\n";
print $sendmail <<"EOF";
From: $MAILFROM
To: $MAILTO
Subject: Security update for Debian Testing - $MAILDATE
This automatic mail gives an overview over security issues that were recently
fixed in Debian Testing. The majority of fixed packages migrate to testing
from unstable. If this would take too long, fixed packages are uploaded to the
testing-security repository instead. It can also happen that vulnerable
packages are removed from Debian testing.
$mail_text
How to update:
--------------
Make sure the line
deb http://security.debian.org $TESTING/updates main contrib non-free
is present in your /etc/apt/sources.list. Of course, you also need the line
pointing to your normal $TESTING mirror. You can use
aptitude update && aptitude dist-upgrade
to install the updates.
More information:
-----------------
More information about which security issues affect Debian can be found in the
security tracker:
https://security-tracker.debian.org/tracker/
A list of all known unfixed security issues is at
https://security-tracker.debian.org/tracker/status/release/testing
EOF
#############################
close($sendmail);
if ($?) {
print "Sendmail error\n";
}
}
|
