Re: Advisory description text

On Mon, Jan 07, 2008 at 10:20:40PM +0100, Christoph Ulrich Scholler wrote:
> Hi,
>
> On 07.01. 13:54, Adam Majer wrote:
> > Moritz Muehlenhoff wrote:
> > > CVE-2007-3382
> > >
> > > It was discovered that single quotes (') in cookies were treated
> > > as a delimiter, which could lead to an information leak.
> > >
> > > CVE-2007-3385
> > >
> > > It was discovered that the character sequence \" in cookies was
> > > handled incorrectly, which could lead to an information leak.
> > >
> > > CVE-2007-5461
> > >
> > > It was discovered that the WebDAV servlet is vulnerable to absolute
> > > path traversal.
> > >
> >
> > First of all, this is not targeted at this specific advisory or any
> > person writing this advisory. :)
> >
> > Generally, the first little bits of each and every CVE description
> > above, as well as in other advisories sent out by Debian, is not needed.
> > Please, remove the "It was discovered that" part from any templates that
> > you may be using. That part is not needed. It is also implied and
> > doesn't add anything to the advisory.
>
> I respectfully disagree. A short summary of what a CVE is about is very
> useful for everyone not intimately familiar with all CVEs. Remember
> that Debian is not only used by seasoned professionals who know all
> pertinent security advisory distribution channels by heart. A little
> "redundancy" is a good thing when humans are involved.
 

I think that the OP wanted things to read:

| CVE-2007-3382
| 
|     Single quotes (') in cookies were treated as a delimiter, which
|     could lead to an information leak.

Rather than remove the whole description.

-- 
Rob
  I know you think you thought you knew what you thought I said,
  but I'm not sure you understood what you thought I meant.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org