summaryrefslogtreecommitdiffstats
path: root/bin/gen-DSA
Commit message (Collapse)AuthorAgeFilesLines
* gen-DSA: don't set extracvefile to "null"Emilio Pozuelo Monfort2022-02-091-1/+1
| | | | | ...if the file config key doesn't exist, otherwise git commit will fail.
* gen-DSA: diff and commit changes to extracvefileEmilio Pozuelo Monfort2022-02-011-2/+5
| | | | In case we're processing a dist that uses an ExtendFile.
* gen-DSA: sanitize DISTS var after calculating itEmilio Pozuelo Monfort2022-02-011-1/+3
| | | | Rather than have every user have to do it.
* gen-DSA: Allow one more digit for the old style bug number formatSalvatore Bonaccorso2022-01-121-1/+1
| | | | | | | | The # prefixed bugnumber format was prefered to pass to the script, still we have the alternative of the digits only. Just bump the allowed digits by one now that we reached the 100000's bug. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* gen-DSA: only call remove-cve-dist-tags if there's dist infoEmilio Pozuelo Monfort2021-11-071-1/+3
| | | | | | | | | | When calling gen-DSA without --save, there's no version/release information, so skip the call there to avoid a crash. In those situations, gen-DSA will be called once more when the DSA is ready with the --save argument, and we'll then remove the appropriate CVE tags. Closes #9
* gen-DSA: Hanlde CVE list in DLA/ELA mode as wellSalvatore Bonaccorso2021-11-061-2/+2
| | | | | | | | | | The recent addition of the remove-cve-dist-tags hook in gen-D[SL]A script removes entries from data/CVE/list when they had a no-dsa (or it's substates) which are handled in the update. When gen-DSA script is invoked in DLA mode though, there is a mechanism to automatically commit the changes (and option to push) but that did not take into account the changes in data/CVE/list.
* gen-DSA: only call remove-cve-dist-tags onceremove-cve-dist-tags-on-DSAEmilio Pozuelo Monfort2021-11-031-1/+5
| | | | | | | | | And do it after we've asked for all the versions. Calling the script after asking for each version and before asking for the next is annoying as the script takes some time due to the size of CVE/list. This way not only do we avoid that wait between user inputs, but we also avoid calling the script and thus parsing CVE/list multiple times.
* gen-DSA: call remove-cve-dist-tagsEmilio Pozuelo Monfort2021-11-031-0/+1
| | | | | This will remove 'obsolete' tags for a CVE for a given release and package if it is being fixed in a security update.
* gen-D[LS]A: Replace use of which with command -vSalvatore Bonaccorso2021-08-211-2/+2
| | | | | | | As debianutils 5.3-1 deprecates the use of which and will be removed in a future update, switch to the command shell builtin. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* Not making any changes to a foo-needed.txt file may also indicate a ↵Chris Lamb2021-08-091-1/+1
| | | | misspelled (or conflated) source package name.
* gen-DSA: require DEBFULLNAME env variableEmilio Pozuelo Monfort2020-08-311-0/+4
|
* Merge branch 'distro-config' into 'master'Salvatore Bonaccorso2020-06-041-10/+20
|\ | | | | | | | | Distro config reunification See merge request security-tracker-team/security-tracker!48
| * gen-DSA: get distro info from config.jsonEmilio Pozuelo Monfort2020-02-261-10/+20
| |
* | Don't warn about potential duplicate work when issuing a regression update; ↵Chris Lamb2020-03-191-1/+1
|/ | | | we will likely not be modifying dla-needed.txt.
* Revert "gen-DLA: reminder for package short description / context"Sylvain Beucler2019-10-031-1/+1
| | | | | | This reverts commit c878209005bc1bb46345eb3f5cb6357135841131. This affects gen-* and carnil expressed it was unnecessary. I'll try to find another way to remember to add a short package description in security announcements.
* gen-DLA: reminder for package short description / contextSylvain Beucler2019-10-031-1/+1
|
* Allow again removal of package/{old,}stable entries from *-needed listSalvatore Bonaccorso2019-09-281-1/+1
| | | | | | | | | | | | | | Since the regular expression was tightened to fix a bug and not remove e.g. spice ans spice-gtk from a *-needed.list removal of specific entries of packages/stable or packages/oldstable got broken (wich is used by the Debian security team to mark entries which only need an update in one of the supported suites). Retain the desired fixed behaviour but try to allow to properly remove package/{old,}stable entries again. Fixes: b3070631dfbb ("bin/gen-DSA: Fix package removal from the needed_file. Don't remove packages starting with the same string as the to be removed package.") Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
* gen-{DSA,DLA}: Update mappings release and codenamesSalvatore Bonaccorso2019-07-061-4/+4
|
* also parse CVE's enclosed in square bracketsThijs Kinkhorst2019-03-231-1/+1
|
* bin/gen-DSA: Fix package removal from the needed_file. Don't remove packages ↵Mike Gabriel2018-08-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | starting with the same string as the to be removed package. Before this patch (spice was to be removed, spice-gtk got removed, too). ``` diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 106dbb0477..a8e6526c01 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -99,12 +99,6 @@ qemu (Santiago) -- samba (Holger Levsen) -- -spice (Mike Gabriel) - NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) --- -spice-gtk (Mike Gabriel) - NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) --- suricata (Thorsten Alteholz) -- symfony (Thorsten Alteholz) ``` With this patch (only spice gets removed, spice-gtk stays): ``` diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 106dbb0477..c7a975a471 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -99,9 +99,6 @@ qemu (Santiago) -- samba (Holger Levsen) -- -spice (Mike Gabriel) - NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) --- spice-gtk (Mike Gabriel) NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) -- ```
* Revert "bin/gen-DSA: Fix package removal from the needed_file. Don't remove ↵Mike Gabriel2018-08-311-1/+1
| | | | | | packages starting with the same string as the to be removed package." This reverts commit 774eb447f4302c83e57978af5a429b9cbe306ab3. Because the commit message was incomplete.
* bin/gen-DSA: Fix package removal from the needed_file. Don't remove packages ↵Mike Gabriel2018-08-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | starting with the same string as the to be removed package. Before this patch (spice was to be removed, spice-gtk got removed, too). ``` diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 106dbb0477..a8e6526c01 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -99,12 +99,6 @@ qemu (Santiago) -- samba (Holger Levsen) -- -spice (Mike Gabriel) - NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) --- -spice-gtk (Mike Gabriel) - NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) --- suricata (Thorsten Alteholz) -- symfony (Thorsten Alteholz) ``` With this patch (only spice gets removed, spice-gtk stays): ```
* bin/gen-DSA: Try and avoid duplicated work when generating DLAs and ELAs due ↵Chris Lamb2018-08-201-0/+3
| | | | to lack of co-ordination in the -needed.txt files.
* bin/gen-DSA: Use $needed_file.Chris Lamb2018-08-201-2/+2
|
* bin/gen-DSA: Support ELA for pushing to the repository.Chris Lamb2018-06-261-2/+2
|
* gen-DSA: allow other gen-* linksEmilio Pozuelo Monfort2018-06-081-6/+2
|
* In DLA mode: if git checkout found ask to push changesSalvatore Bonaccorso2017-12-291-6/+8
| | | | | | | | Mention as well that a push is needed, not only a commit. Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@59018 e39458fd-73e7-0310-bf30-c45bca0a0e42
* gen-DSA: Accept more punctuation characters around CVE IDs in changes fileBen Hutchings2017-06-201-1/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@52721 e39458fd-73e7-0310-bf30-c45bca0a0e42
* gen-{DSA,DLA}: Update mappings release and codenamesSalvatore Bonaccorso2017-06-171-4/+4
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@52641 e39458fd-73e7-0310-bf30-c45bca0a0e42
* gen-DSA, gen-DLA: Read details from .changesBalint Reczey2017-03-021-2/+30
| | | | | | | Package name, version, bug(s) and cve(s) are filled from .changes file. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@49361 e39458fd-73e7-0310-bf30-c45bca0a0e42
* bin/gen-DSA: Fix wrapping of CVE ID list longer than 8 IDsBen Hutchings2017-01-031-1/+1
| | | | | | | Global replacement doesn't work very well when matching .+ each time. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@47703 e39458fd-73e7-0310-bf30-c45bca0a0e42
* bin/gen-DSA: Fix sorting of CVE IDs with last part >= 10000Ben Hutchings2017-01-031-2/+2
| | | | | | | Use sort -V, which seems to do the right thing. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@47702 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Use right_space to generate the CVE ids spacingRaphael Geissert2016-12-011-4/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@46693 e39458fd-73e7-0310-bf30-c45bca0a0e42
* https for links to the GNU license list.Paul Wise2016-03-011-1/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@40100 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Make bin/gen-DLA a bit more foolproofRaphaël Hertzog2015-07-061-0/+15
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@35336 e39458fd-73e7-0310-bf30-c45bca0a0e42
* revert local changes to bin/gen-DSA that sneaked via previous commit (r34572)Mike Gabriel2015-05-291-10/+2
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@34573 e39458fd-73e7-0310-bf30-c45bca0a0e42
* take libxml2, fuseMike Gabriel2015-05-291-2/+10
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@34572 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Merge branch 'jessie-release'Salvatore Bonaccorso2015-04-251-5/+7
| | | | | | Prepare template text after jessie is new stable git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@33823 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Refactor some bitsRaphael Geissert2014-09-051-5/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28618 e39458fd-73e7-0310-bf30-c45bca0a0e42
* uppate gen-DLA as lts-needed.txt has been renamed to dla-needed.txt to match ↵Holger Levsen2014-09-041-1/+1
| | | | | | dsa-needed.txt git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28602 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Set LC_ALL, not just LANGRaphael Geissert2014-08-241-1/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28458 e39458fd-73e7-0310-bf30-c45bca0a0e42
* merge bin/gen-D{L,S}A, yayRaphael Geissert2014-08-241-47/+65
| | | | | | | From Portland, with love git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28457 e39458fd-73e7-0310-bf30-c45bca0a0e42
* make gen-DSA obtain the DSA id for regression updatesRaphael Geissert2014-08-101-5/+17
| | | | | | | | | | | | E.g. $ bin/gen-DSA acpi-support regression [...] Subject: [DSA 2984-2] acpi-support regression update git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28199 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Revert the use of https in the bannerRaphael Geissert2014-07-311-2/+2
| | | | | | | mails won't go through otherwise git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28022 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Link to www.d.o over https in DSA texts, and adjust gen-DSA accordinglyRaphael Geissert2014-07-311-2/+2
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28016 e39458fd-73e7-0310-bf30-c45bca0a0e42
* handle those useless 0s in front of the DLA idsRaphael Geissert2014-07-221-1/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@27895 e39458fd-73e7-0310-bf30-c45bca0a0e42
* no longer set a fake description when unembargoingRaphael Geissert2014-06-031-1/+1
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@27122 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Drop the "vulnerability" fieldRaphael Geissert2014-03-121-77/+11
| | | | | | | | | A regression can still be signaled by passing it as the argument after the package name. E.g. bin/gen-DSA foo regression git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@26088 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Drop "problem type" and "debian-specific" fieldsRaphael Geissert2014-02-081-2/+0
| | | | git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@25606 e39458fd-73e7-0310-bf30-c45bca0a0e42
* Allow the DSA text and entries to be generated for embargoed issuesRaphael Geissert2013-12-021-1/+39
| | | | | | | | | | | | | | Usage: bin/gen-DSA [--save] --embargo package description cve Then when about to release you svn *up* and: bin/gen-DSA --unembargo package An id will then be assigned and the dates corrected if needed git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@24532 e39458fd-73e7-0310-bf30-c45bca0a0e42

© 2014-2024 Faster IT GmbH | imprint | privacy policy