Re: pulling in other vulnerability databases

To: Ben Hutchings <ben@decadent.org.uk>, Salvatore Bonaccorso <carnil@debian.org>
Cc: Paul Wise <pabs@debian.org>, debian-lts@lists.debian.org, team@security.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: pulling in other vulnerability databases
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Fri, 26 Jan 2018 09:32:10 -0500
Message-id: <[🔎] 87k1w4n11x.fsf@curie.anarc.at>
In-reply-to: <[🔎] 1516926679.5097.121.camel@decadent.org.uk>
References: <[🔎] 878tct3kyi.fsf@curie.anarc.at> <[🔎] CAKTje6H3gAfXQzC9vDFC855t=UT=n3jYwovcZ775ONnB9D90jg@mail.gmail.com> <[🔎] 87607rch9y.fsf@curie.anarc.at> <[🔎] 20180125080737.j3qe37di5dtmkc5v@lorien.valinor.li> <[🔎] 87a7x2nf1n.fsf@curie.anarc.at> <[🔎] 1516926679.5097.121.camel@decadent.org.uk>

On 2018-01-26 00:31:19, Ben Hutchings wrote:
> On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote:
> [...]
>> > OS vendors (RH/SUSE)
>> > Upstream projects (Xen, Linux etc)
>> 
>> I believe those already follow the CVE process and eventually converge
>> over doing the right thing. So I am not really concerned about those
>> people.
> [...]
>
> Linux has a security contact (security@kernel.org), but this is only
> used for reporting bugs and discussing how to fix them; CVE assignments
> are left to distributions, DWF, etc.  Many security fixes don't get
> discussed there anyway.
>
> I would estimate that less than half of security fixes in Linux
> actually get CVE IDs.

Well that's just disturbing. I am not sure, however, that I can
meaningfully change this by ... er... say writing the kernel mailing
lists, unfortunately.

I haven't got a reply from Snyk.io (yet?) by the way. I suspect I may
not get anything at all... Any other ideas as to the next steps in
general here?

a.

-- 
May your trails be crooked, winding, lonesome, dangerous, leading to
the most amazing view. May your mountains rise into and above the
clouds.
                        - Edward Abbey

Reply to:

References:
- jquery CVEs: no-dsa or unsupported? + snyk.io
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: jquery CVEs: no-dsa or unsupported? + snyk.io
  - From: Paul Wise <pabs@debian.org>
- pulling in other vulnerability databases
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: pulling in other vulnerability databases
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: pulling in other vulnerability databases
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: pulling in other vulnerability databases
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: [SECURITY] [DLA 1232-1] linux security update - hidepid not working in Wheezy (regression)
Next by Date: Re: pulling in other vulnerability databases
Previous by thread: Re: pulling in other vulnerability databases
Next by thread: Re: jquery CVEs: no-dsa or unsupported?
Index(es):
- Date
- Thread