[Bug 1374715] [NEW] CVE links in the updater are invalid
George Bateman
george.bateman16 at gmail.com
Sat Sep 27 09:53:53 UTC 2014
Public bug reported:
The auto-updater was asking for permission to update Bash. The "Changes" message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4
Version 4.3-7ubuntu1.4:
* SECURITY UPDATE: out-of-bounds memory access
- debian/patches/CVE-2014-718x.diff: guard against overflow and fix
off-by-one in parse.y and y.tab.c.
- CVE-2014-7186
- CVE-2014-7187
* SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/patches/variables-affix.diff: add prefixes and suffixes in
variables.c.
Each CVE link went to an URL such as http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page which states that the CVE_ID is invalid. I would have expected to see a bug description of some sort.
Manually changing the URL to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error message, which now claims the ID is valid but unrecognised. I assume this is for the reason suggested, that the problem has not been uploaded, and that this is now the correct URL.
Does the code that generates the links need to include "CVE-" in the URLs?
I assume that this will apply to all updates, not just Bash, but I can't
yet verify this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/update-manager
GsettingsChanges:
b'com.ubuntu.update-manager' b'show-details' b'true'
b'com.ubuntu.update-manager' b'window-height' b'1000'
b'com.ubuntu.update-manager' b'first-run' b'false'
b'com.ubuntu.update-manager' b'window-width' b'1215'
b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: update-manager (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug trusty
** Description changed:
The auto-updater was asking for permission to update Bash. The "Changes" message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4
Version 4.3-7ubuntu1.4:
- * SECURITY UPDATE: out-of-bounds memory access
- - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
- off-by-one in parse.y and y.tab.c.
- - CVE-2014-7186
- - CVE-2014-7187
- * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- - debian/patches/variables-affix.diff: add prefixes and suffixes in
- variables.c.
+ * SECURITY UPDATE: out-of-bounds memory access
+ - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
+ off-by-one in parse.y and y.tab.c.
+ - CVE-2014-7186
+ - CVE-2014-7187
+ * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
+ - debian/patches/variables-affix.diff: add prefixes and suffixes in
+ variables.c.
Each CVE link went to an URL such as http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page which states that the CVE_ID is invalid. I would have expected to see a bug description of some sort.
- Manually changing the URL to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error message, which now claims the ID is valid but unrecognised. (I assume this is for the reason suggested, that the problem has not been uploaded).
+ Manually changing the URL to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error message, which now claims the ID is valid but unrecognised. I assume this is for the reason suggested, that the problem has not been uploaded, and that this is now the correct URL.
+ Does the code that generates the links need to include "CVE-" in the URLs?
I assume that this will apply to all updates, not just Bash, but I can't
yet verify this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:
-
+
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/update-manager
GsettingsChanges:
- b'com.ubuntu.update-manager' b'show-details' b'true'
- b'com.ubuntu.update-manager' b'window-height' b'1000'
- b'com.ubuntu.update-manager' b'first-run' b'false'
- b'com.ubuntu.update-manager' b'window-width' b'1215'
- b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
+ b'com.ubuntu.update-manager' b'show-details' b'true'
+ b'com.ubuntu.update-manager' b'window-height' b'1000'
+ b'com.ubuntu.update-manager' b'first-run' b'false'
+ b'com.ubuntu.update-manager' b'window-width' b'1215'
+ b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1374715
Title:
CVE links in the updater are invalid
Status in “update-manager” package in Ubuntu:
New
Bug description:
The auto-updater was asking for permission to update Bash. The "Changes" message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4
Version 4.3-7ubuntu1.4:
* SECURITY UPDATE: out-of-bounds memory access
- debian/patches/CVE-2014-718x.diff: guard against overflow and fix
off-by-one in parse.y and y.tab.c.
- CVE-2014-7186
- CVE-2014-7187
* SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/patches/variables-affix.diff: add prefixes and suffixes in
variables.c.
Each CVE link went to an URL such as http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page which states that the CVE_ID is invalid. I would have expected to see a bug description of some sort.
Manually changing the URL to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error message, which now claims the ID is valid but unrecognised. I assume this is for the reason suggested, that the problem has not been uploaded, and that this is now the correct URL.
Does the code that generates the links need to include "CVE-" in the URLs?
I assume that this will apply to all updates, not just Bash, but I
can't yet verify this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/update-manager
GsettingsChanges:
b'com.ubuntu.update-manager' b'show-details' b'true'
b'com.ubuntu.update-manager' b'window-height' b'1000'
b'com.ubuntu.update-manager' b'first-run' b'false'
b'com.ubuntu.update-manager' b'window-width' b'1215'
b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1374715/+subscriptions
More information about the foundations-bugs
mailing list