Skip to content
This repository has been archived by the owner on Aug 29, 2024. It is now read-only.

Links to OpenSSL security advisories are broken #493

Closed
davidben opened this issue Jul 25, 2024 · 13 comments
Closed

Links to OpenSSL security advisories are broken #493

davidben opened this issue Jul 25, 2024 · 13 comments
Assignees
@t-j-h @vavroch2010

Comments

@davidben
Copy link

OpenSSL advisories used to be available at https://www.openssl.org/news/secadv/20240627.txt. These URLs are archived everywhere, from emails, CVE trackers, and no doubt countless other sources.

OpenSSL's recent restructuring seems to have broken all of these links.

Not only that, the new vulnerabilities page links to URLs like https://openssl-library.org/news/vulnerabilities/secadv/20240627.txt. Those URLs are also broken.
@t-j-h
Copy link
Member

t-j-h commented Jul 25, 2024

Both issues are being worked on now to resolve - thanks for noting the problem.

@t-j-h t-j-h self-assigned this Jul 25, 2024
@t-j-h
Copy link
Member

t-j-h commented Jul 25, 2024

The original files of the form https://www.openssl.org/news/secadv/20240627.txt are all accessible now (only the 2024 files were missing from the conversion of the website and that has been fixed). The incorrect links on the vulnerabilities page has been updated.

Thanks for pointing out the issue - we are working through a range of missing redirects and broken links as quickly as we can.

@vavroch2010
Copy link
Contributor

This has been fixed. Thanks for reporting. Please check.

@pombredanne
Copy link

Thank you! Note there is no directory listing at https://openssl-library.org/news/secadv/ so no way to discover a list.
See also #483

@pombredanne
Copy link

https://openssl.org/news/secjson/CVE-2002-0659.json does not redirect to https://openssl-library.org/news/secjson/CVE-2002-0659.json and https://openssl-library.org/news/secjson/ has no directory listing either.

@t8m
Copy link
Member

t8m commented Aug 20, 2024

@vavroch2010 @quarckster ^

@pombredanne
Copy link

Do you need help to fix these issues? Would you accept patches?

In which git can I find the data files for these advisories and where is the code for the web site?

@t8m
Copy link
Member

t8m commented Aug 20, 2024

Unfortunately the new web repository is currently not public.

@pombredanne
Copy link

@t8m Thanks for the quick reply! Any reason for public data not being public? It feels kinda weird 🤓

@pombredanne
Copy link

@t8m related to #483 does this mean that the only way to collect your vulnerability data is now to scrape the web page at https://openssl-library.org/news/vulnerabilities/index.html ?

Also: https://openssl-library.org/news/secjson/CVE-2024-5535.json does not exists but https://openssl-library.org/news/secjson/CVE-2002-0659.json does so it seems that the JSON is not consistently present.

@pombredanne pombredanne mentioned this issue Aug 20, 2024
Open
@quarckster
Copy link
Contributor

Unfortunately the new web repository is currently not public.

I will take care of it

@quarckster
Copy link
Contributor

I fixed the redirects. As of directory listing, it will take more time to implement.

@quarckster
Copy link
Contributor

https://openssl.org/news/secjson/CVE-2002-0659.json does not redirect to https://openssl-library.org/news/secjson/CVE-2002-0659.json and https://openssl-library.org/news/secjson/ has no directory listing either.

It should be fixed now

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@t-j-h t-j-h

@vavroch2010 vavroch2010

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@davidben @pombredanne @quarckster @t8m @t-j-h @vavroch2010