[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Security Advisories CVE-Compatible

The Debian Project                                http://www.debian.org/
Debian Security Advisories CVE-Compatible               press@debian.org
April 1st, 2004                 http://www.debian.org/News/2004/20040330

Debian Security Advisories are CVE-Compatible

Debian Security Advisories (DSA) have been declared CVE-compatible[1]
at the RSA Conference 2004, in San Francisco, February 24th, 2004.

  1. http://www.debian.org/security/cve-compatibility

The DSA service provided by the Debian Security Team has offered
information on security vulnerabilities that were fixed in Debian
GNU/Linux releases since 1997.  In an effort to cooperate with the
Common Vulnerabilities and Exposures (CVE) project[2] to standardise
the names for all publicly known vulnerabilities and security
exposures, new security advisories[3] have carried CVE names since June
2002.  Debian formally applied for CVE compatibility in May 2003.

  2. http://cve.mitre.org/
  3. http://www.debian.org/security/

The Debian project believes that it is extremely important to provide
users with additional information related to security issues that
affect the Debian distribution.  The inclusion of CVE names in
advisories helps users associate generic vulnerabilities with specific
Debian advisories and updates, which reduces the time spent handling
vulnerabilities that affect our users.

The availability of common security references also eases the
management of security in an environment where CVE-enabled security
tools such as network or host intrusion detection systems, or
vulnerability assessment tools are already deployed regardless of
whether or not they are based on the Debian distribution.

The Debian project has added CVE names to all advisories released
since September 1998 through a review process started on August 2002.
All advisories can be retrieved from the Debian web site, and
announcements related to new vulnerabilities include CVE names if
available at the time of their release.  Advisories associated with a
given CVE name can be searched directly through the search engine[4].

  4. http://search.debian.org/

Moreover, Debian provides a complete cross-reference table[5],
including all references available for advisories published since
1997.  This table is provided to complement the reference map[6]
available at CVE.

  5. http://www.debian.org/security/crossreferences
  6. http://cve.mitre.org/cve/refs/refmap/source-DEBIAN.html

Debian developers understand the need to provide accurate and up to
date information of the security status of the Debian distribution,
allowing users to manage the risk associated with new security
vulnerabilities.  CVE names enable the project to provide standardised
references to all publicly known vulnerabilities and security
exposures which allow users to develop a CVE-enabled security
management process.

Reply to: