[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal/suggestion for security team w.r.t. published vulerabilities



* Jeroen van Wolffelaar:

>> Actually, it's rather time-consuming to determine if a security
>> vulnerability has been published.  You have to discover the
>> publication, and then you have to decide whether it's actually the
>> same issue and if it's been disclosed completely.
>
> The first thing that is being done when a security issue gets to the
> security team, is assign a CAN-number after it's verified.

Are you sure?  In this case, process has changed considerably.  CVE
originally only dealt with public vulnerabilities.  Nowadays, you can
get blocks of CANs for later assignment, but assignment still appears
to be somewhat ad-hoc and not very systematic.  It looks that quite a
number of CANs are assigned pretty late during the lifetime of a
vulnerability.

> CAN entries are either simply 'reserved' and hidden for the general
> public, at some time, the content is set open for the public.

There is no hidden content at the CVE site.  MITRE simply doesn't have
this information.  They add it from public sources once it is
available.

> I guess/assume that opening up is mailed to the security team in
> some way, or otherwise noticed.

The CVE project at MITRE doesn't coordinate disclosure.  I'd be
surprised if status changes are sent to vendors, especially they
haven't been associated with the database entry yet.

> Then sending a mail to submit@b.d.o with a cut&paste (yank &
> put) of the CAN/CVE description shouldn't be that much effort.

Are you sure that CVE is updated faster than Debian reacts, generally
speaking?  This new process is only worth it if (a) there is a
significant delay on Debian's part and (b) CVE is considerably faster
in providing data, in all but pathological cases.  Otherwise, you'd
effort (maybe just very little) resources into something that isn't
really worth it.

> The security team monitors every bugreport tagged security, I had it
> happen that the security time responed earlier to a bug like that than I
> had the chance... So, they do already.

I wasn't sure if the monitoring is systematic.  Is there some
pre-filtered mailing list I could subscribe to?



Reply to: