Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities

To: debian-security-tracker@lists.debian.org
Subject: Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Sun, 10 May 2009 21:35:18 -0400
Message-id: <[🔎] 20090510213518.f0d4aee2.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 87ljp6xocb.fsf@mid.deneb.enyo.de>
References: <E1M1jRu-0006te-Rw@klecker.debian.org> <[🔎] 20090506135324.2b5a7b65.michael.s.gilbert@gmail.com> <[🔎] 87vdoe9izb.fsf@mid.deneb.enyo.de> <[🔎] 20090506145804.b1c85ab9.michael.s.gilbert@gmail.com> <[🔎] 87ljp6xocb.fsf@mid.deneb.enyo.de>

On Sat, 09 May 2009 17:55:48 +0200 Florian Weimer wrote:
> <http://lists.alioth.debian.org/pipermail/secure-testing-team/2005-October/000508.html>
> 
> There's even a follow-up which mentions FIXED-BY for unnamed issues.

this seems like a very good idea, and could be implemented
imediately with NOTEs (and without requiring any code changes).

> When an issue is assigned a CVE, I suggest to add it after the CVE
> name, preceded by a slash:
> 
> CVE-2009-1572/70212 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote ...)
> 
> Before that, the entry would have looked like this:
> 
> DVN-70212 [quagga: bgpd crash with AS paths containing 32-bit ASNs]

this is a great idea and would be even better than FIXED-BY.  it seems
like a more rigorous solution. i would suggest keeping the full DVN
name for completeness-sake (maybe reorder to illustrate that the DVN
came before the CVE):

  DVN-70212/CVE-2009-1572 (The BGP daemon (bgpd) in Quagga 0.99.11 ...

also, would it make sense to associate all CVEs with DVNs (a longer
identifier may be required since there are already almost 40,000 CVEs
already in the list)?  perhaps this could be automatically added by the
update scripts?

mike

Reply to:

References:
- Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
Next by Date: Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
Previous by thread: Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
Next by thread: Re: [Secure-testing-commits] r11636 - data/CVE
Index(es):
- Date
- Thread