[Mageia-sysadm] Improving the mageia-updates@ messages

D.Morgan dmorganec at gmail.com
Tue Nov 15 07:25:56 CET 2011


On Fri, Nov 11, 2011 at 2:28 AM, Anssi Hannula <anssi at mageia.org> wrote:
> Hi!
>
> I can think of some improvements to the update announcements:
>
> "Must-have":
> - Affected distribution
> - Updated package version-release (and probably names as well)
>
> "Nice-to-have":
> - Unnecessary duplication in Subject line, drop the
>  "Package update: " part since it already has "[updates-announce]".
> - Information footer (at least mailing list info, maybe something else)
> - Some kind of ID even without a real advisory database (other than
>  mailing list archives, and some way to prevent duplicate ids by
>  mistake), so that we can be included in pages like
>  http://lwn.net/Alerts/
>  I suggest format 'MGASA-2011-1' for security updates.
>  For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.
>
> "Maybe?":
> - [mageia-updates] instead of [updates-announce]
>
>
> For example:
>
> Subject: [mageia-updates] MGASA-2011-1: libpng
> ________________________________________________________________________
>
>  Mageia Security Advisory                                  MGASA-2011-1
>
>  Distribution: Mageia 1
>  Package: libpng
> ________________________________________________________________________
>
> Several vulnerabilities were discovered and corrected in libpng:
>
> * All released versions of libpng (from 1.0 onward) have a buffer
>  overrun in the code that promotes palette images with transparency
>  (1 channel) to grayscale+alpha images (2 channels), but only for
>  applications that call png_rgb_to_gray() and not png_set_expand().
>  (None are known.) An arbitrary amount of memory may be overwritten
>  in this case, with arbitrary (attacker-controlled) data.
>  This vulnerability has been assigned ID CVE-2011-2690.
>
> * libpng 1.2.20 and later crashes in png_default_error() due to internal
>  use of a NULL pointer instead of the empty string (""). This
>  vulnerability
>  has been assigned ID CVE-2011-2691.
>
> * Many (most?) versions of libpng read uninitialized memory when
>  handling
>  empty sCAL chunks, and they handle malformed sCAL chunks (those
>  lacking
>  a delimiting NULL between the internal strings) incorrectly.
>  This vulnerability has been assigned ID CVE-2011-2692.
>
> The updated packages have been updated to latest stable version to
> correct these issues, plus other bug fixes.
> ________________________________________________________________________
>
> Updated packages: (or maybe only src package name + versions, to keep
>                   it shorter for e.g. tb/firefox updates?)
>
> Mageia 1, i586:
>   libpng3-1.2.46-1.mga1.i586.rpm
>   libpng-devel-1.2.46-1.mga1.i586.rpm
>   libpng-source-1.2.46-1.mga1.i586.rpm
>   libpng-static-devel-1.2.46-1.mga1.i586.rpm
>
> Mageia 1, x86_64:
>   lib64png3-1.2.46-1.mga1.x86_64.rpm
>   lib64png-devel-1.2.46-1.mga1.x86_64.rpm
>   lib64png-static-devel-1.2.46-1.mga1.x86_64.rpm
>   libpng-source-1.2.46-1.mga1.x86_64.rpm
>
> --
> mageia-updates mailing list.
> To unsubscribe, blablabla.
>
>
> --
> Anssi Hannula

For me this is the perfect format we should reach.


More information about the Mageia-sysadm mailing list