[Mageia-sysadm] Improving the mageia-updates@ messages

Tue Nov 15 07:25:56 CET 2011

On Fri, Nov 11, 2011 at 2:28 AM, Anssi Hannula <anssi at mageia.org> wrote:
+> Hi!
+>
+> I can think of some improvements to the update announcements:
+>
+> "Must-have":
+> - Affected distribution
+> - Updated package version-release (and probably names as well)
+>
+> "Nice-to-have":
+> - Unnecessary duplication in Subject line, drop the
+>  "Package update: " part since it already has "[updates-announce]".
+> - Information footer (at least mailing list info, maybe something else)
+> - Some kind of ID even without a real advisory database (other than
+>  mailing list archives, and some way to prevent duplicate ids by
+>  mistake), so that we can be included in pages like
+>  http://lwn.net/Alerts/
+>  I suggest format 'MGASA-2011-1' for security updates.
+>  For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.
+>
+> "Maybe?":
+> - [mageia-updates] instead of [updates-announce]
+>
+>
+> For example:
+>
+> Subject: [mageia-updates] MGASA-2011-1: libpng
+> ________________________________________________________________________
+>
+>  Mageia Security Advisory                                  MGASA-2011-1
+>
+>  Distribution: Mageia 1
+>  Package: libpng
+> ________________________________________________________________________
+>
+> Several vulnerabilities were discovered and corrected in libpng:
+>
+> * All released versions of libpng (from 1.0 onward) have a buffer
+>  overrun in the code that promotes palette images with transparency
+>  (1 channel) to grayscale+alpha images (2 channels), but only for
+>  applications that call png_rgb_to_gray() and not png_set_expand().
+>  (None are known.) An arbitrary amount of memory may be overwritten
+>  in this case, with arbitrary (attacker-controlled) data.
+>  This vulnerability has been assigned ID CVE-2011-2690.
+>
+> * libpng 1.2.20 and later crashes in png_default_error() due to internal
+>  use of a NULL pointer instead of the empty string (""). This
+>  vulnerability
+>  has been assigned ID CVE-2011-2691.
+>
+> * Many (most?) versions of libpng read uninitialized memory when
+>  handling
+>  empty sCAL chunks, and they handle malformed sCAL chunks (those
+>  lacking
+>  a delimiting NULL between the internal strings) incorrectly.
+>  This vulnerability has been assigned ID CVE-2011-2692.
+>
+> The updated packages have been updated to latest stable version to
+> correct these issues, plus other bug fixes.
+> ________________________________________________________________________
+>
+> Updated packages: (or maybe only src package name + versions, to keep
+>                   it shorter for e.g. tb/firefox updates?)
+>
+> Mageia 1, i586:
+>   libpng3-1.2.46-1.mga1.i586.rpm
+>   libpng-devel-1.2.46-1.mga1.i586.rpm
+>   libpng-source-1.2.46-1.mga1.i586.rpm
+>   libpng-static-devel-1.2.46-1.mga1.i586.rpm
+>
+> Mageia 1, x86_64:
+>   lib64png3-1.2.46-1.mga1.x86_64.rpm
+>   lib64png-devel-1.2.46-1.mga1.x86_64.rpm
+>   lib64png-static-devel-1.2.46-1.mga1.x86_64.rpm
+>   libpng-source-1.2.46-1.mga1.x86_64.rpm
+>
+> --
+> mageia-updates mailing list.
+> To unsubscribe, blablabla.
+>
+>
+> --
+> Anssi Hannula
+
+For me this is the perfect format we should reach.
+