tracking security issues without CVEs

To: debian-lts@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: tracking security issues without CVEs
From: Brian May <brian@linuxpenguins.xyz>
Date: Sun, 06 Mar 2016 15:33:16 +1100
Message-id: <[🔎] 87h9gkdy43.fsf@prune.linuxpenguins.xyz>

Hello,

Just wondering if there is some other way we can track security issues
for when CVEs are not available.

Thinking of imagemagick here, it has a lot of security issues, and
requests for CVEs are not getting any responses.

For example, if there are no CVEs are we able to use OVEs instead?

http://www.openwall.com/ove

As an example of the problems this causes, it is going to be challanging
working out for sure which changes made in the squeeze version fixed
TEMP-0773834-5EB6CF (for porting to wheezy version), particular as
TEMP-0773834-5EB6CF refers to multiple security issues. As there is
nothing in the changelog refering to these temp ids, because of cause
they are only temp ids.

https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF

In this particular case, I suspect it might be just the last two
patches, as other issues have CVEs or appear to be fixed in wheezy
already. e.g. #692367 (which doesn't appear to have security tracking).

fix-overflow-in-icon-parsing.patch
fix-overflow-in-pict-parsing.patch

Regards
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: tracking security issues without CVEs
  - From: Paul Wise <pabs@debian.org>
- Re: tracking security issues without CVEs
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: tracking security issues without CVEs
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: My Debian LTS activities in February 2016
Next by Date: imagemagick
Previous by thread: My Debian LTS activities in February 2016
Next by thread: Re: tracking security issues without CVEs
Index(es):
- Date
- Thread