Salvatore Bonaccorso <car...@debian.org> writes: > Creating individual bugs in the Debian BTS, including more details > like fixing commits would be a great start, since we use either CVEs > or references to the Debian BTS in DSAs (and DLAs). Furthermore the > security-tracker handles both (you can actually search items there via > either CVE id, bug number or package name).
The problem with this (if I understand security tracker as well as I think I do), if we want to track them using security-tracker, you need an entry in data/CVE/list. If there is no CVE that means you have to use CVE-2016-XXXX. Which in turn means that data/DSA/list and data/DLA/list can't directly refer to the data/CVE/list entry being fixed. I also seem to recall (???) that CVE-2016-XXXX is intended for when a CVE is expected very soon. So if you want to get a good idea of where we have fixed #692367, and what DSA/DLA were involved, I don't think there is a good way of adding this information to security-tracker. > The original CVE request at > http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not > fully optimal, since it just pasted a collection of items. Adding > references to fixing commits would have helped to get CVEs assigned to > issues. The original request at least makes it really hard to > identify the issues and make sure the CVEs are assigned correctly. Yes, I thought this was lousy too. There is a reference to a list of patches, however no easy way of being able to link each issue to each patch. So if a CVE was provided for each issue, it would be relatively hard to link it to the appropriate patch with 100% certainty. With so many different issues, I suspect it is going to be overwhelming requesting a CVE for each issue no matter what you do. -- Brian May <b...@debian.org>
