Re: [Secure-testing-team] Vulnerabilities not affecting Debian: reporting proposal
On 7/11/07, Alec Berryman <email@example.com> wrote:
I can't speak for the security team, but the testing security team could
always use more people doing what you apparently already do - determine
which new CVEs affect Debian and find ways to get those issues fixed.
Actually I'm not currently following recent vulnerabilities, sorry...
I just wanted to suggest a useful feature that could help others now
and also myself in the future.
Much of the infrastructure you mentioned is already in place. The
testing security team keeps a list of CVEs and short descriptions of how
(if at all) each affects Debian as well as information like versions in
which the issue is fixed, bug numbers, and severity indicators. It's
kept in plain-text in a publicly-viewable svn repository, but there are
other ways to view the information. At
http://security-tracker.debian.net/ you can look up the status of
different packages, CVEs, and security bug numbers. Also, the Debian
Security Analyzer (package debsecan) will alert you to vulnerable
packages on that system using the security-tracker data.
Thanks for the information, it's really helpful.