[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Patch Tagging Guidelines: DEP-3 moved to ACCEPTED status



On 2012-01-17 11:37, Simon McVittie wrote:
On 16/01/12 16:01, Jonathan Wiltshire wrote:
A CVE field, mandatory if a
CVE has been published for this patch and is the major component of this
patch, would allow easy tracing of patches back to CVE publications
later (for review perhaps, or by other distributions).

I wonder whether CVE IDs are close enough to being a (limited-scope)
bug tracking system to treat them as such, analogous to Bug-Debian,
Bug-Fedora etc.; I've previously used "Bug-CVE: CVE-2011-xxxx" in
ioquake3, although I haven't been completely consistent about that.

It *should* be the case that each CVE identifiers is unique to a problem; occasionally they get revoked if a duplicate becomes apparent. In rare cases they are disputed and marked as such.

(Also, a Bug-* line would ideally have a URI - is there a canonical
URI corresponding to each CVE ID, preferably one that doesn't still
just say "RESERVED" long after the embargo date?)

Useful:
http://security-tracker.debian.org/tracker/<CVEID>
https://bugzilla.redhat.com/show_bug.cgi?id=<CVEID>

Generally not so useful:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVEID> (the official CVE database)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVEID>



--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


Reply to: