Following security issues found upstream
How do the Debian Security team currently follow the vulnerabilities posted
upstream? I guess that's easy when the upstream maintainer (or the one that found the
bug) tells Debian's team before posting. But what if somebody posts in bugtraq a
security issue around a software available at Debian.
I know that the security team keeps track of bugtraq, but is there any public
database (a 'security.debian.org' virtual package at bugs.debian.org?) where interested
people can ask. Hey, what about Bugtraq-ID (or CVE-ID) XXX. Has it been fixed in Debian?
what packages does it affect? has there been a DS released?
I guess a public database could be useful both for
- the team to coordinate themselves
- interested people to follow the situation and maybe help if needed
It is really a pain extracting and correlating DSA's and public announcements
(Bugtraq's DB) BTW, but I'll comment on this later on (after I'm done doing some
statistics for today's conference)