[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tracking security issues without CVEs

Salvatore Bonaccorso <carnil@debian.org> writes:

> Creating individual bugs in the Debian BTS, including more details
> like fixing commits would be a great start, since we use either CVEs
> or references to the Debian BTS in DSAs (and DLAs). Furthermore the
> security-tracker handles both (you can actually search items there via
> either CVE id, bug number or package name).

The problem with this (if I understand security tracker as well as I
think I do), if we want to track them using security-tracker, you need
an entry in data/CVE/list. If there is no CVE that means you have to use
CVE-2016-XXXX. Which in turn means that data/DSA/list and data/DLA/list
can't directly refer to the data/CVE/list entry being fixed.

I also seem to recall (???) that CVE-2016-XXXX is intended for when a
CVE is expected very soon.

So if you want to get a good idea of where we have fixed #692367, and
what DSA/DLA were involved, I don't think there is a good way of adding
this information to security-tracker.

> The original CVE request at
> http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
> fully optimal, since it just pasted a collection of items. Adding
> references to fixing commits would have helped to get CVEs assigned to
> issues.  The original request at least makes it really hard to
> identify the issues and make sure the CVEs are assigned correctly.

Yes, I thought this was lousy too. There is a reference to a list of
patches, however no easy way of being able to link each issue to each
patch. So if a CVE was provided for each issue, it would be relatively
hard to link it to the appropriate patch with 100% certainty.

With so many different issues, I suspect it is going to be overwhelming
requesting a CVE for each issue no matter what you do.
Brian May <bam@debian.org>

Reply to: