tracking security issues without CVEs
Just wondering if there is some other way we can track security issues
for when CVEs are not available.
Thinking of imagemagick here, it has a lot of security issues, and
requests for CVEs are not getting any responses.
For example, if there are no CVEs are we able to use OVEs instead?
As an example of the problems this causes, it is going to be challanging
working out for sure which changes made in the squeeze version fixed
TEMP-0773834-5EB6CF (for porting to wheezy version), particular as
TEMP-0773834-5EB6CF refers to multiple security issues. As there is
nothing in the changelog refering to these temp ids, because of cause
they are only temp ids.
In this particular case, I suspect it might be just the last two
patches, as other issues have CVEs or appear to be fixed in wheezy
already. e.g. #692367 (which doesn't appear to have security tracking).
Brian May <email@example.com>