[Mageia-sysadm] Improving the mageia-updates@ messages
D.Morgan
dmorganec at gmail.com
Tue Nov 15 07:25:56 CET 2011
On Fri, Nov 11, 2011 at 2:28 AM, Anssi Hannula <anssi at mageia.org> wrote:
> Hi!
>
> I can think of some improvements to the update announcements:
>
> "Must-have":
> - Affected distribution
> - Updated package version-release (and probably names as well)
>
> "Nice-to-have":
> - Unnecessary duplication in Subject line, drop the
> "Package update: " part since it already has "[updates-announce]".
> - Information footer (at least mailing list info, maybe something else)
> - Some kind of ID even without a real advisory database (other than
> mailing list archives, and some way to prevent duplicate ids by
> mistake), so that we can be included in pages like
> http://lwn.net/Alerts/
> I suggest format 'MGASA-2011-1' for security updates.
> For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.
>
> "Maybe?":
> - [mageia-updates] instead of [updates-announce]
>
>
> For example:
>
> Subject: [mageia-updates] MGASA-2011-1: libpng
> ________________________________________________________________________
>
> Mageia Security Advisory MGASA-2011-1
>
> Distribution: Mageia 1
> Package: libpng
> ________________________________________________________________________
>
> Several vulnerabilities were discovered and corrected in libpng:
>
> * All released versions of libpng (from 1.0 onward) have a buffer
> overrun in the code that promotes palette images with transparency
> (1 channel) to grayscale+alpha images (2 channels), but only for
> applications that call png_rgb_to_gray() and not png_set_expand().
> (None are known.) An arbitrary amount of memory may be overwritten
> in this case, with arbitrary (attacker-controlled) data.
> This vulnerability has been assigned ID CVE-2011-2690.
>
> * libpng 1.2.20 and later crashes in png_default_error() due to internal
> use of a NULL pointer instead of the empty string (""). This
> vulnerability
> has been assigned ID CVE-2011-2691.
>
> * Many (most?) versions of libpng read uninitialized memory when
> handling
> empty sCAL chunks, and they handle malformed sCAL chunks (those
> lacking
> a delimiting NULL between the internal strings) incorrectly.
> This vulnerability has been assigned ID CVE-2011-2692.
>
> The updated packages have been updated to latest stable version to
> correct these issues, plus other bug fixes.
> ________________________________________________________________________
>
> Updated packages: (or maybe only src package name + versions, to keep
> it shorter for e.g. tb/firefox updates?)
>
> Mageia 1, i586:
> libpng3-1.2.46-1.mga1.i586.rpm
> libpng-devel-1.2.46-1.mga1.i586.rpm
> libpng-source-1.2.46-1.mga1.i586.rpm
> libpng-static-devel-1.2.46-1.mga1.i586.rpm
>
> Mageia 1, x86_64:
> lib64png3-1.2.46-1.mga1.x86_64.rpm
> lib64png-devel-1.2.46-1.mga1.x86_64.rpm
> lib64png-static-devel-1.2.46-1.mga1.x86_64.rpm
> libpng-source-1.2.46-1.mga1.x86_64.rpm
>
> --
> mageia-updates mailing list.
> To unsubscribe, blablabla.
>
>
> --
> Anssi Hannula
For me this is the perfect format we should reach.
More information about the Mageia-sysadm
mailing list