[openssl-commits] [web] master update
Mark J. Cox
mark at openssl.org
Tue Jan 30 09:44:09 UTC 2018
The branch master has been updated
via 598ab94e8eaa78293e59bad5ea8515168e291fa7 (commit)
via 43332d88869015a8e8f0d6fb8ab9ea2961a423e1 (commit)
via dabfc9a7ae3a3ae4ab3395b5b6e740defb4b52e0 (commit)
from 0be639f38ad327963d1ae0e49abe1c90e0872b5c (commit)
- Log -----------------------------------------------------------------
commit 598ab94e8eaa78293e59bad5ea8515168e291fa7
Author: Mark J. Cox <mark at awe.com>
Date: Tue Jan 30 09:43:25 2018 +0000
Make the per-version vulnerability files. We could probably do something
clever here to work out all the versions we have releases for.
commit 43332d88869015a8e8f0d6fb8ab9ea2961a423e1
Author: Mark J. Cox <mark at awe.com>
Date: Tue Jan 30 09:27:28 2018 +0000
Link to all-issues page, better detection of "no vulnerabilities" for a given base version
commit dabfc9a7ae3a3ae4ab3395b5b6e740defb4b52e0
Author: Mark J. Cox <mark at awe.com>
Date: Tue Jan 30 09:19:21 2018 +0000
Update mk-cvepage to remain backward compatible for now, but allow generation of a
"per major version" vuln page. So users of 1.1.0 can if they like just see a page
of issues that were fixed in 1.1.0*
-----------------------------------------------------------------------
Summary of changes:
Makefile | 28 ++++++++++++++++++++++++++++
bin/mk-cvepage | 53 +++++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 75 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index 3c73ac3..8a41c35 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,13 @@ SIMPLE = newsflash.inc sitemap.txt \
news/openssl-1.1.0-notes.inc \
news/newsflash.inc \
news/vulnerabilities.inc \
+ news/vulnerabilities-1.1.0.inc \
+ news/vulnerabilities-1.0.2.inc \
+ news/vulnerabilities-1.0.1.inc \
+ news/vulnerabilities-1.0.0.inc \
+ news/vulnerabilities-0.9.8.inc \
+ news/vulnerabilities-0.9.7.inc \
+ news/vulnerabilities-0.9.6.inc \
source/.htaccess \
source/license.txt \
source/index.inc
@@ -118,6 +125,27 @@ news/newsflash.inc: news/newsflash.txt
news/vulnerabilities.inc: bin/mk-cvepage news/vulnerabilities.xml
@rm -f $@
./bin/mk-cvepage -i news/vulnerabilities.xml > $@
+news/vulnerabilities-1.1.0.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.1.0 > $@
+news/vulnerabilities-1.0.2.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.2 > $@
+news/vulnerabilities-1.0.1.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.1 > $@
+news/vulnerabilities-1.0.0.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 1.0.0 > $@
+news/vulnerabilities-0.9.8.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.8 > $@
+news/vulnerabilities-0.9.7.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.7 > $@
+news/vulnerabilities-0.9.6.inc: bin/mk-cvepage news/vulnerabilities.xml
+ @rm -f $@
+ ./bin/mk-cvepage -i news/vulnerabilities.xml -b 0.9.6 > $@
source/.htaccess: $(wildcard source/openssl-*.tar.gz) bin/mk-latest
@rm -f @?
./bin/mk-latest source >$@
diff --git a/bin/mk-cvepage b/bin/mk-cvepage
index 57bc798..70e18cc 100755
--- a/bin/mk-cvepage
+++ b/bin/mk-cvepage
@@ -45,9 +45,20 @@ def merge_affects(issue,base):
anext = anext[:-1]+chr(ord(anext[-1])+1)
return ",".join(['-'.join(map(str,aff)) for aff in alist])
-
+
+def allyourbase(issues):
+ allbase = []
+ # find all the major versions of OpenSSL we have vulnerabilities fixed in
+ for affects in issues.getElementsByTagName('fixed'):
+ if (affects.getAttribute("base") not in allbase):
+ if ("fips" not in affects.getAttribute("base")): # temporary hack
+ allbase.append(affects.getAttribute("base"))
+ return sorted(allbase, reverse=True)
+
+
parser = OptionParser()
parser.add_option("-i", "--input", help="input vulnerability file live openssl-web/news/vulnerabilities.xml", dest="input")
+parser.add_option("-b", "--base", help="only include vulnerabilities for this major version (i.e. 1.0.1)", dest="base")
(options, args) = parser.parse_args()
# We need an output directory not stdout because we might write multiple files
@@ -68,6 +79,15 @@ allyears = []
# Display issues latest by date first, if same date then by highest CVE
allissues = ""
for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElementsByTagName('cve')[0].getAttribute('name')),reverse=True):
+
+ if options.base:
+ include = 0
+ for affects in issue.getElementsByTagName('fixed'):
+ if (affects.getAttribute("base") in options.base):
+ include = 1
+ if (include == 0):
+ continue
+
date = issue.getAttribute('public')
year = date[:-4]
if (year != thisyear):
@@ -80,7 +100,7 @@ for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElemen
allissues += "<dt>"
if cve:
- allissues += "<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s\">CVE-%s</a> " %(cve,cve)
+ allissues += "<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s\" name=\"CVE-%s\">CVE-%s</a> " %(cve,cve,cve)
for adv in issue.getElementsByTagName('advisory'):
allissues += "<a href=\"%s\">(OpenSSL advisory)</a> " %(adv.getAttribute("url"))
for sev in issue.getElementsByTagName('impact'):
@@ -94,20 +114,41 @@ for issue in sorted(issues, key=lambda x: (x.getAttribute('public'), x.getElemen
allissues += " Reported by %s. " %(reported.getAttribute("source"))
allissues += "<ul>"
+ also = []
for affects in issue.getElementsByTagName('fixed'):
+ if options.base:
+ if (affects.getAttribute("base") not in options.base):
+ also.append("OpenSSL <a href=\"vulnerabilities-%s.html#CVE-%s\">%s</a>" %( affects.getAttribute('base'), cve, affects.getAttribute('version')))
+ continue
allissues += "<li>Fixed in OpenSSL %s " %(affects.getAttribute('version'))
for git in affects.getElementsByTagName('git'):
allissues += "<a href=\"https://github.com/openssl/openssl/commit/%s\">(git commit)</a> " %(git.getAttribute('hash'))
allissues += "(Affected "+merge_affects(issue,affects.getAttribute("base"))+")"
allissues += "</li>"
+ if also:
+ allissues += "<li>This issue was also addressed in "+ ", ".join( also)
allissues += "</ul></dd>"
-allissues += "</dl>"
preface = "<!-- do not edit this file it is autogenerated, edit vulnerabilities.xml -->"
-preface += "<p><a name=\"toc\">Jump to year: </a>"
-preface += ", ".join( "<a href=\"#y%s\">%s</a>" %(year,year) for year in allyears)
+if options.base:
+ # for now don't put the link to the per-base page on main page until it's ready to go live
+ bases = []
+ for base in allyourbase(dom):
+ if (options.base and base in options.base):
+ bases.append("%s" %(base))
+ else:
+ bases.append( "<a href=\"vulnerabilities-%s.html\">%s</a>" %(base,base))
+ preface += "Show issues fixed only in OpenSSL " + ", ".join(bases)
+ if (options.base):
+ preface += ", or <a href=\"vulnerabilities.html\">all versions</a>"
+ preface += "<h2>Fixed in OpenSSL %s</h2>" %(options.base)
+if len(allyears)>1: # If only vulns in this year no need for the year table of contents
+ preface += "<p><a name=\"toc\">Jump to year: </a>" + ", ".join( "<a href=\"#y%s\">%s</a>" %(year,year) for year in allyears)
preface += "</p>"
-preface += allissues
+if allissues != "":
+ preface += allissues + "</dl>"
+else:
+ preface += "No vulnerabilities"
sys.stdout.write(preface.encode('utf-8'))
More information about the openssl-commits
mailing list