On 2012-01-17 11:37, Simon McVittie wrote:
On 16/01/12 16:01, Jonathan Wiltshire wrote:
A CVE field, mandatory if a
CVE has been published for this patch and is the major component of
this
patch, would allow easy tracing of patches back to CVE publications
later (for review perhaps, or by other distributions).
I wonder whether CVE IDs are close enough to being a (limited-scope)
bug tracking system to treat them as such, analogous to Bug-Debian,
Bug-Fedora etc.; I've previously used "Bug-CVE: CVE-2011-xxxx" in
ioquake3, although I haven't been completely consistent about that.
It *should* be the case that each CVE identifiers is unique to a
problem; occasionally they get revoked if a duplicate becomes apparent.
In rare cases they are disputed and marked as such.
(Also, a Bug-* line would ideally have a URI - is there a canonical
URI corresponding to each CVE ID, preferably one that doesn't still
just say "RESERVED" long after the embargo date?)
Useful:
http://security-tracker.debian.org/tracker/<CVEID>
https://bugzilla.redhat.com/show_bug.cgi?id=<CVEID>
Generally not so useful:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVEID> (the official CVE
database)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVEID>
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/823bcc7d8ef2bcd0a17e814917f98...@hogwarts.powdarrmonkey.net
