X-Original-To: alpine-devel@mail.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id 90A44DCE693
	for <alpine-devel@mail.alpinelinux.org>; Fri, 25 Mar 2016 20:35:08 +0000 (UTC)
Received: from mail-qk0-f170.google.com (mail-qk0-f170.google.com [209.85.220.170])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 4E69EDC718C
	for <alpine-devel@lists.alpinelinux.org>; Fri, 25 Mar 2016 20:35:07 +0000 (UTC)
Received: by mail-qk0-f170.google.com with SMTP id p130so39936740qke.1
        for <alpine-devel@lists.alpinelinux.org>; Fri, 25 Mar 2016 13:35:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coreos.com; s=google;
        h=date:from:to:message-id:in-reply-to:references:subject:mime-version;
        bh=91QR06Qa3pVO3a/eODVxcKyKYrejcD2px1CatAPJuos=;
        b=h4jXpMOHOC1hGmUnnFTGxz+z3DoYKL5mG57JKkrJ9NU9astNlPiZE2CLen2F1S6jgY
         xGhNelDIP9Z3wF4ysw7c0jJ0tcIByJ8m450roSTd2WeAvw8wlmidknlhbe7h0Rqt9IKa
         61GBe23EtfAqNUuzTqBnuzxg89vem/AeO8h/c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:date:from:to:message-id:in-reply-to:references
         :subject:mime-version;
        bh=91QR06Qa3pVO3a/eODVxcKyKYrejcD2px1CatAPJuos=;
        b=EtJUkqmLFWVygQVPZ86eK5vHcjCLvG/0YUffSJ/F7M6NoZp4hHLzegkF/SbAgGBlI5
         S5r8Q4A6dkuJiVQ6SUQzG53N9eit27zL/1P4swmAW6+60npVe2om6bRilPqoR0KGwYu6
         X14UXhBSaEMgN4qkbn0XItENS+6/QRNNm+m8TGZpSsS8zhtF9y+oO3G8FTuEk1TinS/0
         AAkLdDwNecBwhzUgiVS+Xr1n8X/VU4fWYjOjcgftahpWy2o0szOWwh8bma2MJHzGNLfU
         3UGgsdP9uvQfXrFSzxs9VHa1mUl0xhll2ahqgwpG3Ss7BypDvAYXRu227KrjeveJsQ+d
         rc0Q==
X-Gm-Message-State: AD7BkJLAwxMhFgmV0E1i1RjkRD0NJ6Peb1frGoxBQQs2+R3UjEmR/omNSXdyiwkTLBDjHf1b
X-Received: by 10.55.212.132 with SMTP id s4mr9715549qks.78.1458938107486;
        Fri, 25 Mar 2016 13:35:07 -0700 (PDT)
Received: from Mentalow-2.local ([65.209.47.35])
        by smtp.gmail.com with ESMTPSA id 100sm6047422qgg.44.2016.03.25.13.35.06
        for <alpine-devel@lists.alpinelinux.org>
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 25 Mar 2016 13:35:06 -0700 (PDT)
Date: Fri, 25 Mar 2016 16:35:05 -0400
From: Quentin Machu <quentin.machu@coreos.com>
To: alpine-devel@lists.alpinelinux.org
Message-ID: <etPan.56f5a0f9.d94e619.644@coreos.com>
In-Reply-To: <20160325045905.GA6060@newbook>
References: <CANtECw8gn93aiQ4qGoGcM3TJ4C6vLAK45cp62_nmHEL1usfg7A@mail.gmail.com>
 <1458852606.9023.4.camel@c89m3s1> <1458853405.9023.10.camel@c89m3s1>
 <etPan.56f46865.4aa9575.644@coreos.com> <20160325045905.GA6060@newbook>
Subject: Re: [alpine-devel] Alpine security tracker
X-Mailer: Airmail Beta (353)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="56f5a0f9_5e94fb7c_644"
X-Virus-Scanned: ClamAV using ClamSMTP

--56f5a0f9_5e94fb7c_644
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=46rom:=C2=A0Isaac Dunham=C2=A0<ibid.ag=40gmail.com>

There's also no associated package version.=C2=A0
However, it's theoretically possible to retrieve the package version in=C2=
=A0
an automated manner:=C2=A0
each issue has an associated git revision, and the diff will include a=C2=
=A0
change to the APKBUILD touching at least one of the two version numbers:=C2=
=A0
pkgver and pkgrel.=C2=A0
This is obviously going to be rather cumbersome to retrieve from a CVE=C2=
=A0
checker;=C2=A0
is there a way to hook into Redmine so it automatically parses this to ad=
d=C2=A0
pkgver/pkgrel fields=3F

=46rom what I saw, the descriptions usually mention the packages and thei=
r fixed versions (if any) =5B1=5D=5B2=5D. Could we simply create fields t=
o store them instead of writing them in the description=3F So we could ea=
sily parse them using any of the Redmine's export format (XML, =E2=80=A6)=
=3F

Sometimes, I am confused though because multiple different fixed versions=
 are listed, for the same Alpine Linux release =5B3=5D=5B4=5D.

=5B1=5D:=C2=A0https://bugs.alpinelinux.org/issues/5288
=5B2=5D:=C2=A0https://bugs.alpinelinux.org/issues/5238
=5B3=5D:=C2=A0https://bugs.alpinelinux.org/issues/5209
=5B4=5D:=C2=A0https://bugs.alpinelinux.org/issues/5244

Sometimes (usually=3F always=3F), if there are multiple releases affected=
,=C2=A0
there are separate issues for each release, with the affected release=C2=A0=

tagged.=C2=A0

=46or example:=C2=A0
5288,Alpine Linux,Bug,Closed,Normal,=5B3.0=5D openssh: missing sanitisati=
on of input for X11 forwarding (CVE-2016-3115),Natanael Copa,03/23/2016 1=
0:48 AM=C2=A0
5287,Alpine Linux,Bug,Closed,Normal,=5B3.1=5D openssh: missing sanitisati=
on of input for X11 forwarding (CVE-2016-3115),Natanael Copa,03/23/2016 1=
0:48 AM=C2=A0
5286,Alpine Linux,Bug,Closed,Normal,=5B3.2=5D openssh: missing sanitisati=
on of input for X11 forwarding (CVE-2016-3115),Natanael Copa,03/23/2016 1=
0:48 AM=C2=A0

If a bug is filed against the current release only, it will not be tagged=
.=C2=A0

This is pretty great, with that information and the package names/version=
s as discussed above, we basically have the hard part figured out. The re=
st is rest vulnerability name, severity, description as mentioned in my p=
revious e-mail. Except for the severity, the CVE names and descriptions a=
re also present either in the title and/or in the description. It probabl=
y just needs a more stable format to be parsable, I am not sure how it co=
uld be achieved with Redmine though.

You might have different versions at the same time, yes.=C2=A0
BTW: rather than testing/stable/oldstable, we have 'edge' and multiple=C2=
=A0
numbered releases.=C2=A0

Sure, that makes a lot of sense. That=E2=80=99s how Clair do it with othe=
r distributions, it uses numbered versions and then =E2=80=9Cunstable=E2=80=
=9D (or =E2=80=9Cedge=E2=80=9D in Alpine's case). I just wanted to simpli=
fy.

To summarize a bit, Clair (or any automated system with similar purposes)=
 has to be able to parse something like that at the end of the day:

Alpine-release: 3.2
Name: CVE-2015-XXXX
Severity: High
Description: =5B=E2=80=A6=5D
Link:=C2=A0https://bugs.alpinelinux.org/issues/X
Affecting:
=C2=A0 - bind9 (fixed by 9.10)
=C2=A0 - dnsmasq (unfixed)
=C2=A0=C2=A0
Alpine-release: 3.3
Name: CVE-2015-XXXX
Severity: Medium
Description: =5B=E2=80=A6=5D
Link:=C2=A0https://bugs.alpinelinux.org/issues/Y
Affecting:
=C2=A0 - bind9 (fixed by 9.15)
=C2=A0 - dnsmasq (fixed by 9.40)
=C2=A0 - skydns (unfixed)

Best Regards,
Quentin Machu
--56f5a0f9_5e94fb7c_644
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space;=22><blockquote type=3D=22cit=
e=22 class=3D=22clean=5Fbq=22></blockquote>=46rom:&nbsp;Isaac Dunham&nbsp=
;<a href=3D=22mailto:ibid.ag=40gmail.com=22>&lt;ibid.ag=40gmail.com&gt;</=
a><br><blockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22></blockquote=
><font color=3D=22=230a51a1=22><br></font><div><blockquote type=3D=22cite=
=22 class=3D=22clean=5Fbq=22 style=3D=22font-family: Helvetica, Arial; fo=
nt-size: 13px; font-style: normal; font-variant: normal; font-weight: nor=
mal; letter-spacing: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spa=
cing: 0px; -webkit-text-stroke-width: 0px;=22><div>There's also no associ=
ated package version.&nbsp;<br>However, it's theoretically possible to re=
trieve the package version in&nbsp;<br>an automated manner:&nbsp;<br>each=
 issue has an associated git revision, and the diff will include a&nbsp;<=
br>change to the APKBUILD touching at least one of the two version number=
s:&nbsp;<br>pkgver and pkgrel.&nbsp;<br>This is obviously going to be rat=
her cumbersome to retrieve from a CVE&nbsp;<br>checker;&nbsp;<br>is there=
 a way to hook into Redmine so it automatically parses this to add&nbsp;<=
br><div></div><div>pkgver/pkgrel fields=3F</div></div></blockquote></div>=
<div><br class=3D=22Apple-interchange-newline=22></div>=46rom what I saw,=
 the descriptions usually mention the packages and their fixed versions (=
if any) =5B1=5D=5B2=5D. Could we simply create fields to store them inste=
ad of writing them in the description=3F So we could easily parse them us=
ing any of the Redmine's export format (XML, =E2=80=A6)=3F<div><br>Someti=
mes, I am confused though because multiple different fixed versions are l=
isted, for the same Alpine Linux release =5B3=5D=5B4=5D.<div><br>=5B1=5D:=
&nbsp;<a href=3D=22https://bugs.alpinelinux.org/issues/5288=22>https://bu=
gs.alpinelinux.org/issues/5288</a><div>=5B2=5D:&nbsp;<a href=3D=22https:/=
/bugs.alpinelinux.org/issues/5238=22>https://bugs.alpinelinux.org/issues/=
5238</a><br>=5B3=5D:&nbsp;<a href=3D=22https://bugs.alpinelinux.org/issue=
s/5209=22>https://bugs.alpinelinux.org/issues/5209</a></div><div>=5B4=5D:=
&nbsp;<a href=3D=22https://bugs.alpinelinux.org/issues/5244=22>https://bu=
gs.alpinelinux.org/issues/5244</a></div><div><br><blockquote type=3D=22ci=
te=22 class=3D=22clean=5Fbq=22><div><blockquote type=3D=22cite=22 class=3D=
=22clean=5Fbq=22></blockquote>Sometimes (usually=3F always=3F), if there =
are multiple releases affected,&nbsp;<br><blockquote type=3D=22cite=22 cl=
ass=3D=22clean=5Fbq=22></blockquote>there are separate issues for each re=
lease, with the affected release&nbsp;<br><blockquote type=3D=22cite=22 c=
lass=3D=22clean=5Fbq=22></blockquote>tagged.&nbsp;<br><blockquote type=3D=
=22cite=22 class=3D=22clean=5Fbq=22></blockquote><br><blockquote type=3D=22=
cite=22 class=3D=22clean=5Fbq=22></blockquote>=46or example:&nbsp;<br><bl=
ockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22></blockquote>5288,Alp=
ine Linux,Bug,Closed,Normal,=5B3.0=5D openssh: missing sanitisation of in=
put for X11 forwarding (CVE-2016-3115),Natanael Copa,03/23/2016 10:48 AM&=
nbsp;<br><blockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22></blockqu=
ote>5287,Alpine Linux,Bug,Closed,Normal,=5B3.1=5D openssh: missing saniti=
sation of input for X11 forwarding (CVE-2016-3115),Natanael Copa,03/23/20=
16 10:48 AM&nbsp;<br><blockquote type=3D=22cite=22 class=3D=22clean=5Fbq=22=
></blockquote>5286,Alpine Linux,Bug,Closed,Normal,=5B3.2=5D openssh: miss=
ing sanitisation of input for X11 forwarding (CVE-2016-3115),Natanael Cop=
a,03/23/2016 10:48 AM&nbsp;<br><blockquote type=3D=22cite=22 class=3D=22c=
lean=5Fbq=22></blockquote><br>If a bug is filed against the current relea=
se only, it will not be tagged.&nbsp;<br></div></blockquote><font color=3D=
=22=230a51a1=22><br></font>This is pretty great, with that information an=
d the package names/versions as discussed above, we basically have the ha=
rd part figured out. The rest is rest vulnerability name, severity, descr=
iption as mentioned in my previous e-mail. Except for the severity, the C=
VE names and descriptions are also present either in the title and/or in =
the description. It probably just needs a more stable format to be parsab=
le, I am not sure how it could be achieved with Redmine though.<br><font =
color=3D=22=230a51a1=22><br></font><div><blockquote type=3D=22cite=22 cla=
ss=3D=22clean=5Fbq=22 style=3D=22font-family: Helvetica, Arial; font-size=
: 13px; font-style: normal; font-variant: normal; font-weight: normal; le=
tter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px;=
 text-transform: none; white-space: normal; widows: auto; word-spacing: 0=
px; -webkit-text-stroke-width: 0px;=22><div><div><blockquote type=3D=22ci=
te=22 class=3D=22clean=5Fbq=22></blockquote>You might have different vers=
ions at the same time, yes.&nbsp;<br><blockquote type=3D=22cite=22 class=3D=
=22clean=5Fbq=22></blockquote>BTW: rather than testing/stable/oldstable, =
we have 'edge' and multiple&nbsp;<br>numbered releases.&nbsp;</div></div>=
</blockquote></div><div><br class=3D=22Apple-interchange-newline=22></div=
>Sure, that makes a lot of sense. That=E2=80=99s how Clair do it with oth=
er distributions, it uses numbered versions and then =E2=80=9Cunstable=E2=
=80=9D (or =E2=80=9Cedge=E2=80=9D in Alpine's case). I just wanted to sim=
plify.<br><br></div><div>To summarize a bit, Clair (or any automated syst=
em with similar purposes) has to be able to parse something like that at =
the end of the day:</div><div><br></div><div>Alpine-release: 3.2</div><di=
v>Name: CVE-2015-XXXX</div><div>Severity: High</div><div>Description: =5B=
=E2=80=A6=5D</div><div>Link:&nbsp;<a href=3D=22https://bugs.alpinelinux.o=
rg/issues/5244=22>https://bugs.alpinelinux.org/issues/X</a></div><div>Aff=
ecting:</div><div>&nbsp; - bind9 (fixed by 9.10)</div><div>&nbsp; - dnsma=
sq (unfixed)</div><div>&nbsp;&nbsp;</div><div><div>Alpine-release: 3.3</d=
iv><div>Name: CVE-2015-XXXX</div><div>Severity: Medium</div><div>Descript=
ion: =5B=E2=80=A6=5D</div><div>Link:&nbsp;<a href=3D=22https://bugs.alpin=
elinux.org/issues/5244=22>https://bugs.alpinelinux.org/issues/Y</a></div>=
<div>Affecting:</div><div>&nbsp; - bind9 (fixed by 9.15)</div><div>&nbsp;=
 - dnsmasq (fixed by 9.40)</div></div><div>&nbsp; - skydns (unfixed)</div=
><div><br></div><div>Best Regards,</div><div>Quentin Machu</div></div></d=
iv></body></html>
--56f5a0f9_5e94fb7c_644--



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---