[Mageia-sysadm] Improving the mageia-updates@ messages
dmorganec at gmail.com
Tue Nov 15 07:25:56 CET 2011
On Fri, Nov 11, 2011 at 2:28 AM, Anssi Hannula <anssi at mageia.org> wrote:
> I can think of some improvements to the update announcements:
> - Affected distribution
> - Updated package version-release (and probably names as well)
> - Unnecessary duplication in Subject line, drop the
> "Package update: " part since it already has "[updates-announce]".
> - Information footer (at least mailing list info, maybe something else)
> - Some kind of ID even without a real advisory database (other than
> mailing list archives, and some way to prevent duplicate ids by
> mistake), so that we can be included in pages like
> I suggest format 'MGASA-2011-1' for security updates.
> For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.
> - [mageia-updates] instead of [updates-announce]
> For example:
> Subject: [mageia-updates] MGASA-2011-1: libpng
> Mageia Security Advisory MGASA-2011-1
> Distribution: Mageia 1
> Package: libpng
> Several vulnerabilities were discovered and corrected in libpng:
> * All released versions of libpng (from 1.0 onward) have a buffer
> overrun in the code that promotes palette images with transparency
> (1 channel) to grayscale+alpha images (2 channels), but only for
> applications that call png_rgb_to_gray() and not png_set_expand().
> (None are known.) An arbitrary amount of memory may be overwritten
> in this case, with arbitrary (attacker-controlled) data.
> This vulnerability has been assigned ID CVE-2011-2690.
> * libpng 1.2.20 and later crashes in png_default_error() due to internal
> use of a NULL pointer instead of the empty string (""). This
> has been assigned ID CVE-2011-2691.
> * Many (most?) versions of libpng read uninitialized memory when
> empty sCAL chunks, and they handle malformed sCAL chunks (those
> a delimiting NULL between the internal strings) incorrectly.
> This vulnerability has been assigned ID CVE-2011-2692.
> The updated packages have been updated to latest stable version to
> correct these issues, plus other bug fixes.
> Updated packages: (or maybe only src package name + versions, to keep
> it shorter for e.g. tb/firefox updates?)
> Mageia 1, i586:
> Mageia 1, x86_64:
> mageia-updates mailing list.
> To unsubscribe, blablabla.
> Anssi Hannula
For me this is the perfect format we should reach.
More information about the Mageia-sysadm