Re: tracking security issues without CVEs

To: debian-lts@lists.debian.org
Cc: debian-security@lists.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: tracking security issues without CVEs
From: Paul Wise <pabs@debian.org>
Date: Sun, 6 Mar 2016 23:05:55 +0800
Message-id: <[🔎] CAKTje6Fr_zT4Lqsqfo0vqHQ=tEL5=-ZzzZBv+kgJduSqhTin+Q@mail.gmail.com>
In-reply-to: <[🔎] 87h9gkdy43.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87h9gkdy43.fsf@prune.linuxpenguins.xyz>

On Sun, Mar 6, 2016 at 12:33 PM, Brian May wrote:

> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
...
> For example, if there are no CVEs are we able to use OVEs instead?
>
> http://www.openwall.com/ove

This sounds like a good idea to me.

Do you know of any issues where OVEs were used?

Is there any project who uses them regularly?

I wonder if we should be discussing this more widely, for example on oss-sec?

> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any responses.

It sounds like Mitre has quite a backlog:

https://marc.info/?i=1456968329.26654.16.camel@bonedaddy.net
https://marc.info/?i=CANO=Ty1YVJf505LzrJ7UtG5YpBys1gabo4Bd0e5h95PUP62Wxg@mail.gmail.com
https://cve.mitre.org/data/board/archives/2015-11/msg00018.html

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- tracking security issues without CVEs
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: tracking security issues without CVEs
Next by Date: Re: tracking security issues without CVEs
Previous by thread: tracking security issues without CVEs
Next by thread: Re: tracking security issues without CVEs
Index(es):
- Date
- Thread