Automate CVE assignment for renamed/branched/forked packages
Automate CVEs assignment for renamed/branched/forked packages.
Examples package sets:
- gnutls26 gnutls28
- golang golang-1.7 golang-1.8 golang-1.11 [
golang
is the jessie full package, not the newer meta-package] - lynx lynx-cur
- php5 php7.0 php7.3 php7.4 php8.0
- python2.7 python3.4 python3.5 python3.7 python3.9
- unbound unbound-1.9
E.g., if a CVE is assigned to python3.4
, it likely affects python2.7
too, so the script should mark it so e.g. in data/CVE/list
. One way to track such package sets is to maintain a renamed-packages
file.
History:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738172 - Track renames of source packages (2014) - secteam agrees
-
https://lists.debian.org/debian-lts/2017/03/msg00177.html - Dealing with renamed source packages during CVE triaging (2017) - suggests preparing
- package <removed>
entries - https://lists.debian.org/debian-lts/2021/02/msg00083.html - Tracking related source packages (2021) - conflicting feedback from secteam (jmm/carnil) (caution: the thread then mixes this up with #2 and dies)
Do not confuse with #2 (tracking embedded code copies) which warrants a different workflow, has much more false positives, and tends to stale efforts on this task.
Edited by Sylvain Beucler