Re: tracking security issues without CVEs
Hi Brian, hi Paul,
On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote:
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> > Just wondering if there is some other way we can track security issues
> > for when CVEs are not available.
> > Thinking of imagemagick here, it has a lot of security issues, and
> > requests for CVEs are not getting any responses.
> Creating individual bugs in the Debian BTS, including more details
> like fixing commits would be a great start, since we use either CVEs
> or references to the Debian BTS in DSAs (and DLAs). Furthermore the
> security-tracker handles both (you can actually search items there via
> either CVE id, bug number or package name).
> The original CVE request at
> http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
> fully optimal, since it just pasted a collection of items. Adding
> references to fixing commits would have helped to get CVEs assigned to
> issues. The original request at least makes it really hard to
> identify the issues and make sure the CVEs are assigned correctly.
Just one comment which I forgot to address in the previous mail,
regarding the OVE identifiers. The question about the CVE assignments
were just re-raised yesterday on oss-security. The whole might look
promissing indeed. But I think as well that is right now to early to
start adopting these for not yet assigned issues. Instead follow the
current discussion on oss-security and let's see if across
distributions there is going to be some consensus/approach for this
For the record, the thread is starting at
where Kurt Seifried from Red Hat raised the concern.