[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote:
> [Silvio Cesare]
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
> This sound like a job that could become a bit easier if we tagged
> Debian packages with the CPE ids assosiated with CVEs, to make it
> easier to figure out which Debian package are affected by a given CVE.
> Are you aware of my proposal to do this, mentioned on debian-security
> and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?

Does this actually cover embedded code copies?  The spec probably
needs to get something like an "XBS-Embeds-Source-From-CPE" tag for

Even so, do you think maintainers are really going to go through the
trouble to keep these tags accurately populated?  I suppose its worth
it to try, but I have my doubts.  Inaccurate information can be worse
than no information.  At least with embedded-code-copies, we have a
centralized record that's kept up to date by security-involved people.

Best wishes,

Reply to: