Hi Brian, hi Paul, On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > > Just wondering if there is some other way we can track security issues > > for when CVEs are not available. > > > > Thinking of imagemagick here, it has a lot of security issues, and > > requests for CVEs are not getting any responses. > > Creating individual bugs in the Debian BTS, including more details > like fixing commits would be a great start, since we use either CVEs > or references to the Debian BTS in DSAs (and DLAs). Furthermore the > security-tracker handles both (you can actually search items there via > either CVE id, bug number or package name). > > The original CVE request at > http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not > fully optimal, since it just pasted a collection of items. Adding > references to fixing commits would have helped to get CVEs assigned to > issues. The original request at least makes it really hard to > identify the issues and make sure the CVEs are assigned correctly.
Just one comment which I forgot to address in the previous mail, regarding the OVE identifiers. The question about the CVE assignments were just re-raised yesterday on oss-security. The whole might look promissing indeed. But I think as well that is right now to early to start adopting these for not yet assigned issues. Instead follow the current discussion on oss-security and let's see if across distributions there is going to be some consensus/approach for this issue. For the record, the thread is starting at http://www.openwall.com/lists/oss-security/2016/03/04/4 where Kurt Seifried from Red Hat raised the concern. Regards, Salvatore
