CVE links in the updater are invalid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Fix Released
|
Medium
|
Brian Murray |
Bug Description
The auto-updater was asking for permission to update Bash. The "Changes" message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4
Version 4.3-7ubuntu1.4:
* SECURITY UPDATE: out-of-bounds memory access
- debian/
off-by-one in parse.y and y.tab.c.
- CVE-2014-7186
- CVE-2014-7187
* SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/
variables.c.
Each CVE link went to an URL such as http://
Manually changing the URL to http://
Does the code that generates the links need to include "CVE-" in the URLs?
I assume that this will apply to all updates, not just Bash, but I can't yet verify this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSign
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/
GsettingsChanges:
b'com.
b'com.
b'com.
b'com.
b'com.
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitec
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
Changed in update-manager (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
assignee: | nobody → Brian Murray (brian-murray) |
Although both links work for me according to the CVE website, CVE identifiers include the characters CVE so I think we should be including them in the URL.
https:/ /cve.mitre. org/cve/ identifiers/ syntaxchange. html#new
"The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits"