Re: [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
* Michael S. Gilbert:
> is there any way to do a better job of tracking these non-CVEified
> issues? for example, there is currently no tracking information for
> unstable in the CVE list for either of these issues; and no way to
> link between the CVE and DSA lists for those issues since the automatic
> scripts will remove those links.
I had proposed a FIXED-BY: directive some time ago to deal with this
situation, but it was considered unnecessary at the time.
> a quick solution would be to change the way non-CVE issues are named in
> the CVE list. for example, use CVE-2009-XXXX-YYYY and so on so that
> each non-numbered issue is unique (where YYYY starts at 0001 and gets
> incremented for each new unique non-numbered issue).
We shouldn't call this CVE, but DVN ("Debian Vulnerability Name") or
something else. This would be more difficult to implement in the
tracker than FIXED-BY:.
> also, don't we have a responsibility to get all of our issues CVEified
> so that other distros aren't left vulnerable due to unawareness?
Posting to oss-security should achieve both, yes.
Reply to: