arch-security-tracker icon indicating copy to clipboard operation
arch-security-tracker copied to clipboard

Published 20 hours ago verified publisher icon archlinux

Extend the status usage in the tracker

Open Foxboron opened this issue 2 years ago • 7 comments

AVGs

Currently we have several AVGs which are either "Disputed" or has a status where it's open but can't realistically be fixed. What should we do with those and how should they interact with our todo list?

We use the "Bumped packages" section as our work queue in many cases and currently it's being cluttered by a couple of AVGs we simply can't deal with.

My suggestion for additional statuses:

  • Disputed - Hidden from /todo and mainly just kept as a reference. No fixed version should be expected
  • Won't Fix - Upstream can't or won't fix the issue, but it's a valid CVE. Hidden from the /todo list.

CVEs

An own status for Investigating on the CVEs would be usefull. We should also have a own list of them on the /todo page so it's easier to see what is being worked on. "Unknown" isn't a great status and ambiguous.

Foxboron avatar Apr 13 '22 09:04 Foxboron

so for those like AVG-1342 where the CVE only applies to certain setups and there is a config option to use as a workaround for those setups it feels like another status might better express that

not sure about the name for that but something that expresses it affects certain setups when using the default config and a workaround for those is available

djerun avatar Apr 13 '22 10:04 djerun

A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.

Foxboron avatar Apr 13 '22 11:04 Foxboron

@Foxboron can you please post all those AVG's here to better understand user stories and requirements.

anthraxx avatar Apr 13 '22 13:04 anthraxx

  • https://security.archlinux.org/AVG-1311
  • https://security.archlinux.org/AVG-2406
  • https://security.archlinux.org/AVG-2394
  • https://security.archlinux.org/AVG-2630
  • https://security.archlinux.org/AVG-1486
  • https://security.archlinux.org/AVG-1342
  • https://security.archlinux.org/AVG-2569
  • https://security.archlinux.org/AVG-1915

Foxboron avatar Apr 13 '22 13:04 Foxboron

AVG-1311 is a valid group and state, fix versions also exists our package is just stuck with version 2. patch seems trivial, should probably backport a similar fix to 2.x

anthraxx avatar Apr 13 '22 13:04 anthraxx

A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.

Hmm, what about Mitigation Exists ? Not sure how shorter that makes it though :thinking:

SantiagoTorres avatar Apr 14 '22 01:04 SantiagoTorres

I just went throught the CVSSv3.1 Spec and in section 5 Qualitative Severity Rating Scale there is a rating of None for 0.0. I assume that one is meant for invalid CVEs. So for Hiding AVGs with only invalid CVEs rated as Severity None from /todo might be a thing but I'm not so sure marking disputed CVEs as Severity None is the right approach.

The issue linked in the CVE of AVG-2406 was closed as invalid but NVD still lists it as disputed with the original rating and it will probably stay that way until someone goes through the effort of reproducing it or proving it invalid.

With AVG-2394 the issue is still open, so stale or waiting for upstream fix might be an appropriate status, though I haven't fully read through the details. AVG-1915 looks the same.

AVG-2630 looks like a case for mitigation exists

djerun avatar Apr 15 '22 14:04 djerun