[restricting Cc to the lists] Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> wrote:
> On Tue, Mar 22, 2005 at 11:57:01AM +0100, Frank Küster wrote: >> >> Me neither. I find these CVE pages on mitre.org annyoing, giving no >> real information, only meta-information which is again just vendor stuff >> without code. > > CVE is not a database, it's a dictionary. If you are looking into more > information on vulnerabilities please use either Symantec's Bugtraq, ISS's > Xforce or NIST's ICAT. The first two are cross-referenced with CVE, the > last one has CVE references and is freely downloadable. Thank you, I found it extremely difficult (as someone who follows their own upstream, but not security-related mailinglists) to find ressources of information. Currently, the CVE IDs are often used to indicate which issue is talked about (like in the original mail from the secure-testing-team), but e.g. for CAN-2005-0206 there are no cross-references except the RedHat and Mandrake advisories, which aren't too helpful, either. So I checked the bugtraq list at http://marc.theaimsgroup.com/, but again these are only security advisories by vendors, not actually information about patches, right? And vendors often just link to the CVE... The Xforce link you gave is a little more helpful to me; but the best I found (and remembered to have seen before...) was the iDefense page I found linked from Xforce: http://www.idefense.com/application/poi/display?type=vulnerabilities (Unfortunately, there's nothing there about CAN-2005-0206). As for NIST's ICAT - what is freeyl downloadable there? Again, I only found references to vendor advisories, no patches. Specifically, on all those pages I couldn't find anything about the differences between CAN-2004-0888 and CAN-2004-0889. If you keep me (or debian-tetex-maint) in the Cc, I'll happily write a patch for the Developer's Reference about security ressources. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
