Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
On Wed, 06 May 2009 20:36:24 +0200, Florian Weimer wrote:
> * Michael S. Gilbert:
> > is there any way to do a better job of tracking these non-CVEified
> > issues? for example, there is currently no tracking information for
> > unstable in the CVE list for either of these issues; and no way to
> > link between the CVE and DSA lists for those issues since the automatic
> > scripts will remove those links.
> I had proposed a FIXED-BY: directive some time ago to deal with this
> situation, but it was considered unnecessary at the time.
interesting. i apologize for missing this, but how would FIXED-BY work?
a link to the previous discussion would very helpful.
> > a quick solution would be to change the way non-CVE issues are named in
> > the CVE list. for example, use CVE-2009-XXXX-YYYY and so on so that
> > each non-numbered issue is unique (where YYYY starts at 0001 and gets
> > incremented for each new unique non-numbered issue).
> We shouldn't call this CVE, but DVN ("Debian Vulnerability Name") or
> something else.
this does make more sense, and its shorter.
> This would be more difficult to implement in the tracker than FIXED-BY:.
wouldn't it just be a matter of converting the CVE-2009-XXXX handling
to use DVN-2009-0001, etc. instead? i'd imagine that for the most part
the CVE name is usually just treated as a string, except for the
conversion to TEMP number; although i'm not familiar with the web
scripts so i could be very wrong.