Re: About CVE-2017-10965

To: Teppei Fukuda <teppei.fukuda@aquasec.com>
Cc: "debian-security-tracker@lists.debian.org" <debian-security-tracker@lists.debian.org>, VijayKumar Kamannavar <Vijay.K@aquasec.com>
Subject: Re: About CVE-2017-10965
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 1 Sep 2020 14:01:29 +0200
Message-id: <[🔎] 20200901120129.2defin4d2qzl64te@inutil.org>
In-reply-to: <VE1PR03MB521670A4DF895E758E29653DFF2E0@VE1PR03MB5216.eurprd03.prod.outlook.com>
References: <[🔎] VE1PR03MB521693352358C61ADEF70DBAFF2E0@VE1PR03MB5216.eurprd03.prod.outlook.com> <[🔎] 20200901070146.zbzvq3yxlakzpckr@inutil.org> <VE1PR03MB521670A4DF895E758E29653DFF2E0@VE1PR03MB5216.eurprd03.prod.outlook.com>

On Tue, Sep 01, 2020 at 11:57:08AM +0000, Teppei Fukuda wrote:
> Hi Moritz,
> 
> Thank you for the quick reply. I also found more gaps than this case. Do you have a plan to compare OVAL and Security Tracker and fill gaps? Or, if Debian Security Tracker is always correct, should we use the following repository, not OVAL?
> https://salsa.debian.org/security-tracker-team/security-tracker

I'm not very familiar with the OVAL feed and how it gets synced with the
core data. But the Security Tracker is definitively the source of truth,
so when in doubt add a local override to the OVAL data as found in the
Debian Security Tracker.

Cheers,
        Moritz

Reply to:

References:
- About CVE-2017-10965
  - From: Teppei Fukuda <teppei.fukuda@aquasec.com>
- Re: About CVE-2017-10965
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: About CVE-2017-10965
Next by Date: External check
Previous by thread: Re: About CVE-2017-10965
Next by thread: Bug#931533: marked as done (security-tracker: Fetch Sources.xz/Packages.xz indices when available instead of Sources.gz/Packages.gz)
Index(es):
- Date
- Thread