Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

To: submit@bugs.debian.org
Subject: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Date: Sat, 6 Dec 2008 23:40:27 -0500
Message-id: <[🔎] 8e2a98be0812062040i10bab143wff3424c325591bca@mail.gmail.com>
Reply-to: "Michael Gilbert" <michael.s.gilbert@gmail.com>, 508031@bugs.debian.org

Package: security-tracker
Severity: important

Oftentimes, a fix gets released for other distributions, and then it
takes weeks or months for Debian to apply the same fix.  I wonder if
this is primarily a communication issue and whether including this
type of information in the tracker would help reduce this lag.  The
intent would be to increase the security team/package maintainers
awareness of existing patches.

Some current examples (not a comprehensive list, I only spent 5
minutes on this):

CVE-2008-4552: fixed in ubuntu [1]
CVE-2008-2379: fixed in fedora [2]

I'm considering the severity important since leaving user's systems
vulnerable while a fix exists is a very bad thing.

If I get the time, I may look at trying to add this myself, but no
guarantees.  So if anyone else is interested in the problem, go for
it.

Mike

[1] http://www.ubuntu.com/usn/USN-687-1
[2] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00232.html

Reply to:

Follow-Ups:
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: Nico Golde <nion@debian.org>

Prev by Date: Re: patch for Makefile for security-tracker
Next by Date: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
Previous by thread: Re: geshi vs. tracker
Next by thread: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
Index(es):
- Date
- Thread