Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
* Michael S. Gilbert:
> interesting. i apologize for missing this, but how would FIXED-BY work?
> a link to the previous discussion would very helpful.
<http://lists.alioth.debian.org/pipermail/secure-testing-team/2005-October/000508.html>
There's even a follow-up which mentions FIXED-BY for unnamed issues.
>> > a quick solution would be to change the way non-CVE issues are named in
>> > the CVE list. for example, use CVE-2009-XXXX-YYYY and so on so that
>> > each non-numbered issue is unique (where YYYY starts at 0001 and gets
>> > incremented for each new unique non-numbered issue).
>>
>> We shouldn't call this CVE, but DVN ("Debian Vulnerability Name") or
>> something else.
>
> this does make more sense, and its shorter.
Fine.
>> This would be more difficult to implement in the tracker than FIXED-BY:.
>
> wouldn't it just be a matter of converting the CVE-2009-XXXX handling
> to use DVN-2009-0001, etc. instead?
I'd suggest to use DVN- followed by a random five-digit number
instead, so that we don't have to worry about the year.
When an issue is assigned a CVE, I suggest to add it after the CVE
name, preceded by a slash:
CVE-2009-1572/70212 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote ...)
Before that, the entry would have looked like this:
DVN-70212 [quagga: bgpd crash with AS paths containing 32-bit ASNs]
The precommit check will be updated to enforce uniqueness of numbers.
We also could make it hexadecimal to avoid confusion with bug numbers.
> i'd imagine that for the most part the CVE name is usually just
> treated as a string, except for the conversion to TEMP number;
> although i'm not familiar with the web scripts so i could be very
> wrong.
I don't think it's easy to add, at least not to the current code base.
Reply to: