Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
On Wed, 06 May 2009 15:54:22 +0000, Noah Meyerhans wrote:
> Package : drupal6
> Vulnerability : multiple
> Problem type : remote
> Debian-specific: no
> Debian Bug : 526378
>
> Multiple vulnerabilities have been discovered in drupal, a web content
> management system.
...
<non-CVEified issue>
...
<non-CVEified issue>
...
hello all,
is there any way to do a better job of tracking these non-CVEified
issues? for example, there is currently no tracking information for
unstable in the CVE list for either of these issues; and no way to
link between the CVE and DSA lists for those issues since the automatic
scripts will remove those links.
a quick solution would be to change the way non-CVE issues are named in
the CVE list. for example, use CVE-2009-XXXX-YYYY and so on so that
each non-numbered issue is unique (where YYYY starts at 0001 and gets
incremented for each new unique non-numbered issue). this makes it
possible to link between the CVE and DSA lists for non-numbered
issues. also, when at some point those issues do get CVE numbers, it
will be easy to go in and make the appropriate changes when since you
can just do a search for 2009-XXXX-YYYY.
maybe someone should also write a script. that generates the next YYYY
to make it less likely to duplicate the YYYY.
well, let me know what you think. it may even be possible to start
doing this now; without any modifications to the scripts (although it
may throw of the security tracker TEMP number generator).
also, don't we have a responsibility to get all of our issues CVEified
so that other distros aren't left vulnerable due to unawareness?
mike
Reply to: