[Mageia-sysadm] Improving the mageia-updates@ messages

Anssi Hannula anssi at mageia.org
Fri Nov 11 02:28:14 CET 2011 

Hi!

I can think of some improvements to the update announcements:

"Must-have":
- Affected distribution
- Updated package version-release (and probably names as well)

"Nice-to-have":
- Unnecessary duplication in Subject line, drop the
  "Package update: " part since it already has "[updates-announce]".
- Information footer (at least mailing list info, maybe something else)
- Some kind of ID even without a real advisory database (other than
  mailing list archives, and some way to prevent duplicate ids by
  mistake), so that we can be included in pages like
  http://lwn.net/Alerts/
  I suggest format 'MGASA-2011-1' for security updates.
  For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.

"Maybe?":
- [mageia-updates] instead of [updates-announce]


For example:

Subject: [mageia-updates] MGASA-2011-1: libpng
________________________________________________________________________

 Mageia Security Advisory                                  MGASA-2011-1

 Distribution: Mageia 1
 Package: libpng
________________________________________________________________________

Several vulnerabilities were discovered and corrected in libpng:

* All released versions of libpng (from 1.0 onward) have a buffer
  overrun in the code that promotes palette images with transparency
  (1 channel) to grayscale+alpha images (2 channels), but only for
  applications that call png_rgb_to_gray() and not png_set_expand().
  (None are known.) An arbitrary amount of memory may be overwritten
  in this case, with arbitrary (attacker-controlled) data.
  This vulnerability has been assigned ID CVE-2011-2690.

* libpng 1.2.20 and later crashes in png_default_error() due to internal
  use of a NULL pointer instead of the empty string (""). This
  vulnerability
  has been assigned ID CVE-2011-2691.

* Many (most?) versions of libpng read uninitialized memory when
  handling
  empty sCAL chunks, and they handle malformed sCAL chunks (those
  lacking
  a delimiting NULL between the internal strings) incorrectly.
  This vulnerability has been assigned ID CVE-2011-2692.

The updated packages have been updated to latest stable version to
correct these issues, plus other bug fixes.
________________________________________________________________________

Updated packages: (or maybe only src package name + versions, to keep
                   it shorter for e.g. tb/firefox updates?)

Mageia 1, i586:
   libpng3-1.2.46-1.mga1.i586.rpm
   libpng-devel-1.2.46-1.mga1.i586.rpm
   libpng-source-1.2.46-1.mga1.i586.rpm
   libpng-static-devel-1.2.46-1.mga1.i586.rpm

Mageia 1, x86_64:
   lib64png3-1.2.46-1.mga1.x86_64.rpm
   lib64png-devel-1.2.46-1.mga1.x86_64.rpm
   lib64png-static-devel-1.2.46-1.mga1.x86_64.rpm
   libpng-source-1.2.46-1.mga1.x86_64.rpm

-- 
mageia-updates mailing list.
To unsubscribe, blablabla.


-- 
Anssi Hannula

More information about the Mageia-sysadm mailing list