Re: tracking security issues without CVEs
On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any responses.
Creating individual bugs in the Debian BTS, including more details
like fixing commits would be a great start, since we use either CVEs
or references to the Debian BTS in DSAs (and DLAs). Furthermore the
security-tracker handles both (you can actually search items there via
either CVE id, bug number or package name).
The original CVE request at
http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
fully optimal, since it just pasted a collection of items. Adding
references to fixing commits would have helped to get CVEs assigned to
issues. The original request at least makes it really hard to
identify the issues and make sure the CVEs are assigned correctly.