| 139 |
""". The data represented here is derived from: """, |
""". The data represented here is derived from: """, |
| 140 |
A("http://www.debian.org/security/#DSAS", "DSAs"), |
A("http://www.debian.org/security/#DSAS", "DSAs"), |
| 141 |
""" issued by the Security Team; issues tracked in the """, |
""" issued by the Security Team; issues tracked in the """, |
| 142 |
A("http://www.cve.mitre.org/cve/index.html", "CVE database"), |
A("http://cve.mitre.org/cve/", "CVE database"), |
| 143 |
""", issues tracked in the """, |
""", issues tracked in the """, |
| 144 |
A("http://nvd.nist.gov/", "National Vulnerability Database"), |
A("http://nvd.nist.gov/", "National Vulnerability Database"), |
| 145 |
""" (NVD), maintained by NIST; and security issues |
""" (NVD), maintained by NIST; and security issues |
| 146 |
discovered in Debian packages as reported in the BTS."""), |
discovered in Debian packages as reported in the BTS."""), |
| 147 |
P("""All exteral data (including Debian bug reports and official Debian |
P("""All external data (including Debian bug reports and official Debian |
| 148 |
security advisories) must be added to this database before it appears |
security advisories) must be added to this database before it appears |
| 149 |
here. Please help us keep this information up-to-date by """, |
here. Please help us keep this information up-to-date by """, |
| 150 |
A(url.scriptRelative("data/report"), "reporting"), |
A(url.scriptRelative("data/report"), "reporting"), |
| 151 |
""" any discrepancies or change of states that you are |
""" any discrepancies or change of states that you are |
| 152 |
aware of and/or help us improve the quality of this information by """, |
aware of and/or help us improve the quality of this information by """, |
| 153 |
A(url.scriptRelative("data/report"), "participiating"), |
A(url.scriptRelative("data/report"), "participating"), |
| 154 |
"."), |
"."), |
| 155 |
make_menu( |
make_menu( |
| 156 |
url.scriptRelative, |
url.scriptRelative, |
| 160 |
'Vulnerable packages in the testing suite'), |
'Vulnerable packages in the testing suite'), |
| 161 |
('status/release/stable', |
('status/release/stable', |
| 162 |
'Vulnerable packages in the stable suite'), |
'Vulnerable packages in the stable suite'), |
|
('status/release/oldstable', |
|
|
'Vulnerable packages in the oldstable suite'), |
|
| 163 |
('status/dtsa-candidates', "Candidates for DTSAs"), |
('status/dtsa-candidates', "Candidates for DTSAs"), |
| 164 |
('status/todo', 'TODO items'), |
('status/todo', 'TODO items'), |
| 165 |
('status/itp', 'ITPs with potential security issues'), |
('status/itp', 'ITPs with potential security issues'), |
| 202 |
# Redirect to start page. |
# Redirect to start page. |
| 203 |
return RedirectResult(url.scriptRelativeFull("")) |
return RedirectResult(url.scriptRelativeFull("")) |
| 204 |
|
|
| 205 |
# Attempt to decode a bug number. FAKE-nnn bugs (but not |
# Attempt to decode a bug number. TEMP-nnn bugs (but not |
| 206 |
# FAKE-nnn-mmm bugs) are treated as bug references, too. |
# TEMP-nnn-mmm bugs) are treated as bug references, too. |
| 207 |
bugnumber = 0 |
bugnumber = 0 |
| 208 |
fake_bug = False |
fake_bug = False |
| 209 |
try: |
try: |
| 210 |
if obj[0:5] == 'FAKE-': |
if obj[0:5] == 'FAKE-' or obj[0:5] == 'TEMP-': |
| 211 |
bugnumber = int(obj[5:]) |
bugnumber = int(obj[5:]) |
| 212 |
fake_bug = True |
fake_bug = True |
| 213 |
else: |
else: |
| 268 |
source_xref = self.make_dsa_ref(url, bug.name, 'Debian') |
source_xref = self.make_dsa_ref(url, bug.name, 'Debian') |
| 269 |
elif source == 'DTSA': |
elif source == 'DTSA': |
| 270 |
source_xref = 'Debian Testing Security Team' |
source_xref = 'Debian Testing Security Team' |
| 271 |
elif source == 'FAKE': |
elif source == 'TEMP': |
| 272 |
source_xref = ( |
source_xref = ( |
| 273 |
'Automatically generated temporary name. Not for external reference.') |
'Automatically generated temporary name. Not for external reference.') |
| 274 |
else: |
else: |
| 421 |
new_buglist = [] |
new_buglist = [] |
| 422 |
for b in buglist: |
for b in buglist: |
| 423 |
(bug_name, urgency, description) = b |
(bug_name, urgency, description) = b |
| 424 |
if bug_name[0:5] == "FAKE-": |
if bug_name[0:5] == 'FAKE-' or bug_name[0:5] == 'TEMP-': |
| 425 |
new_buglist.append(b) |
new_buglist.append(b) |
| 426 |
if len(new_buglist) > 0: |
if len(new_buglist) > 0: |
| 427 |
# Only replace the bug list if there are still fake |
# Only replace the bug list if there are still fake |
| 479 |
the backlog and will see what you have said. If you require a |
the backlog and will see what you have said. If you require a |
| 480 |
response, do not forget to let us know how to get a hold of you."""), |
response, do not forget to let us know how to get a hold of you."""), |
| 481 |
P("Mailing list: Our mailing list is: ", |
P("Mailing list: Our mailing list is: ", |
| 482 |
A("mailto:secure-testing-team@lists.alioth.debian.org", |
A("mailto:debian-security-tracker@lists.debian.org", |
| 483 |
"secure-testing-team@lists.alioth.debian.org")), |
"debian-security-tracker@lists.debian.org")), |
| 484 |
P("""Helping out: We welcome people who wish to join us in tracking |
P("""Helping out: We welcome people who wish to join us in tracking |
| 485 |
issues. The process is designed to be easy to learn and participate, |
issues. The process is designed to be easy to learn and participate, |
| 486 |
please read our """, |
please read our """, |
| 642 |
params, url) |
params, url) |
| 643 |
|
|
| 644 |
def page_status_release_testing(self, path, params, url): |
def page_status_release_testing(self, path, params, url): |
| 645 |
bf = BugFilter(params) |
bf = BugFilterNoDSA(params) |
| 646 |
|
|
| 647 |
def gen(): |
def gen(): |
| 648 |
old_pkg_name = '' |
old_pkg_name = '' |
| 649 |
for (pkg_name, bug_name, archive, urgency, |
for (pkg_name, bug_name, archive, urgency, |
| 650 |
sid_vulnerable, ts_fixed, remote) in self.db.cursor().execute( |
sid_vulnerable, ts_fixed, remote, no_dsa) \ |
| 651 |
|
in self.db.cursor().execute( |
| 652 |
"""SELECT package, bug, section, urgency, unstable_vulnerable, |
"""SELECT package, bug, section, urgency, unstable_vulnerable, |
| 653 |
testing_security_fixed, remote |
testing_security_fixed, remote, no_dsa |
| 654 |
FROM testing_status"""): |
FROM testing_status"""): |
| 655 |
if bf.urgencyFiltered(urgency): |
if bf.urgencyFiltered(urgency): |
| 656 |
continue |
continue |
| 657 |
if bf.remoteFiltered(remote): |
if bf.remoteFiltered(remote): |
| 658 |
continue |
continue |
| 659 |
|
if bf.nodsaFiltered(no_dsa): |
| 660 |
|
continue |
| 661 |
|
|
| 662 |
if pkg_name == old_pkg_name: |
if pkg_name == old_pkg_name: |
| 663 |
pkg_name = '' |
pkg_name = '' |
| 763 |
(SELECT testing.version_id < stable.version_id |
(SELECT testing.version_id < stable.version_id |
| 764 |
FROM source_packages AS testing, source_packages AS stable |
FROM source_packages AS testing, source_packages AS stable |
| 765 |
WHERE testing.name = testing_status.package |
WHERE testing.name = testing_status.package |
| 766 |
AND testing.release = 'etch' |
AND testing.release = 'lenny' |
| 767 |
AND testing.subrelease = '' |
AND testing.subrelease = '' |
| 768 |
AND testing.archive = testing_status.section |
AND testing.archive = testing_status.section |
| 769 |
AND stable.name = testing_status.package |
AND stable.name = testing_status.package |
| 770 |
AND stable.release = 'sarge' |
AND stable.release = 'etch' |
| 771 |
AND stable.subrelease = 'security' |
AND stable.subrelease = 'security' |
| 772 |
AND stable.archive = testing_status.section), |
AND stable.archive = testing_status.section), |
| 773 |
(SELECT range_remote FROM nvd_data |
(SELECT range_remote FROM nvd_data |
| 826 |
"Remote"))]) |
"Remote"))]) |
| 827 |
|
|
| 828 |
def page_status_todo(self, path, params, url): |
def page_status_todo(self, path, params, url): |
| 829 |
|
hide_check = params.get('hide_check', False) |
| 830 |
|
if hide_check: |
| 831 |
|
flags = A(url.updateParamsDict({'hide_check' : None}), |
| 832 |
|
'Show "check" TODOs') |
| 833 |
|
else: |
| 834 |
|
flags = A(url.updateParamsDict({'hide_check' : '1'}), |
| 835 |
|
'Hide "check" TODOs') |
| 836 |
|
|
| 837 |
def gen(): |
def gen(): |
| 838 |
for (bug, description) in self.db.getTODOs(): |
for (bug, description) in self.db.getTODOs(hide_check=hide_check): |
| 839 |
yield self.make_xref(url, bug), description |
yield self.make_xref(url, bug), description |
| 840 |
return self.create_page( |
return self.create_page( |
| 841 |
url, "Bugs with TODO items", |
url, "Bugs with TODO items", |
| 842 |
[make_table(gen(), |
[P(flags), |
| 843 |
|
make_table(gen(), |
| 844 |
caption=("Bug", "Description"))]) |
caption=("Bug", "Description"))]) |
| 845 |
|
|
| 846 |
def page_status_itp(self, path, params, url): |
def page_status_itp(self, path, params, url): |
| 866 |
url, "Unknown packages", |
url, "Unknown packages", |
| 867 |
[P("""Sometimes, a package referenced in a bug report |
[P("""Sometimes, a package referenced in a bug report |
| 868 |
cannot be found in the database. This can be the result of a spelling |
cannot be found in the database. This can be the result of a spelling |
| 869 |
return web_supporterror, or a historic entry refers to a |
error, or a historic entry refers to a |
| 870 |
return web_supportpackage which is no longer in the archive."""), |
package which is no longer in the archive."""), |
| 871 |
make_table(gen(), caption=("Package", "Bugs"), |
make_table(gen(), caption=("Package", "Bugs"), |
| 872 |
replacement="No unknown packages are referenced in the database.")]) |
replacement="No unknown packages are referenced in the database.")]) |
| 873 |
|
|
| 911 |
"""SELECT package, string_set(bug_name) |
"""SELECT package, string_set(bug_name) |
| 912 |
FROM package_notes AS p1 |
FROM package_notes AS p1 |
| 913 |
WHERE release <> '' |
WHERE release <> '' |
| 914 |
AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'FAKE-%') |
AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%') |
| 915 |
AND NOT EXISTS (SELECT 1 FROM package_notes AS p2 |
AND NOT EXISTS (SELECT 1 FROM package_notes AS p2 |
| 916 |
WHERE p2.bug_name = p1.bug_name |
WHERE p2.bug_name = p1.bug_name |
| 917 |
AND p2.package = p1.package |
AND p2.package = p1.package |
| 930 |
FROM package_notes AS p1 |
FROM package_notes AS p1 |
| 931 |
WHERE release <> '' |
WHERE release <> '' |
| 932 |
AND urgency <> 'unimportant' |
AND urgency <> 'unimportant' |
| 933 |
AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'FAKE-%') |
AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%') |
| 934 |
AND EXISTS (SELECT 1 FROM package_notes AS p2 |
AND EXISTS (SELECT 1 FROM package_notes AS p2 |
| 935 |
WHERE p2.bug_name = p1.bug_name |
WHERE p2.bug_name = p1.bug_name |
| 936 |
AND p2.package = p1.package |
AND p2.package = p1.package |
| 1024 |
a unique name. These names are not stable and can change when the database |
a unique name. These names are not stable and can change when the database |
| 1025 |
is updated, so they should not be used in external references."""), |
is updated, so they should not be used in external references."""), |
| 1026 |
P('''The automatically generated names come in two flavors: |
P('''The automatically generated names come in two flavors: |
| 1027 |
the first kind starts with the string "''', CODE("FAKE-000000-"), |
the first kind starts with the string "''', CODE("TEMP-000000-"), |
| 1028 |
'''". This means that no Debian bug has been assigned to this |
'''". This means that no Debian bug has been assigned to this |
| 1029 |
issue (or a bug has been created and is not recorded in this database). |
issue (or a bug has been created and is not recorded in this database). |
| 1030 |
In the second kind of names, there is a Debian bug for the issue, and the "''', |
In the second kind of names, there is a Debian bug for the issue, and the "''', |
| 1082 |
return url.absolute("http://cve.mitre.org/cgi-bin/cvename.cgi", |
return url.absolute("http://cve.mitre.org/cgi-bin/cvename.cgi", |
| 1083 |
name=name) |
name=name) |
| 1084 |
def url_nvd(self, url, name): |
def url_nvd(self, url, name): |
| 1085 |
return url.absolute("http://nvd.nist.gov/nvd.cfm", |
return url.absolute("http://web.nvd.nist.gov/view/vuln/detail", |
| 1086 |
cvename=name) |
vulnId=name) |
| 1087 |
|
|
| 1088 |
def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')): |
def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')): |
| 1089 |
match = re_dsa.match(dsa) |
match = re_dsa.match(dsa) |
| 1107 |
return url.absolute("http://packages.qa.debian.org/common/index.html", |
return url.absolute("http://packages.qa.debian.org/common/index.html", |
| 1108 |
src=package) |
src=package) |
| 1109 |
def url_testing_status(self, url, package): |
def url_testing_status(self, url, package): |
| 1110 |
return url.absolute("http://bjorn.haxx.se/debian/testing.pl", |
return url.absolute("http://release.debian.org/migration/testing.pl", |
| 1111 |
package=package) |
package=package) |
| 1112 |
def url_source_package(self, url, package, full=False): |
def url_source_package(self, url, package, full=False): |
| 1113 |
if full: |
if full: |
Parent Directory
| 
Revision Log
| 
Patch