Package: security-tracker Severity: wishlist X-Debbugs-Cc: codeh...@debian.org
This is one of a few bugs arising from discussions with Salvatore & Moritz whilst triaging CVEs. When an upload is made to unstable or experimental, triage of debian-devel-changes will list any CVEs fixed. It would be useful to have a simple tool (bin/grab-cve-in-fix <package_name>) which: - queries the latest version of source:<package_name> in unstable - extracts all mentioned CVE IDs from the change - creates a correctly formatted CVE snippet with the recorded fixes that can be reviewed and merged into the main data/CVE/list All changes would need manual review. The email from debian-devel-changes could provide enough information. Alternatively, tracker.d.o or apt-cache could be used (e.g. relying on the `make update-packages` support already available in the security tracker code). 1: Provide an option to parse the email from debian-devel-changes 2: Provide an option to lookup the information using tracker.d.o 3: Fallback to lookup the information in the local apt-cache data populated by 'make update-packages' Output a file which can be used with bin/merge-cve-files once the changes have been reviewed. Additionally, implement support for a similar process to update all CVEs whenever a package moves out of NEW and into the archive.
