Re: xpdf vulnerability?
[restricting Cc to the lists]
Javier Fernández-Sanguino Peña <jfs@computer.org> wrote:
> On Tue, Mar 22, 2005 at 11:57:01AM +0100, Frank Küster wrote:
>>
>> Me neither. I find these CVE pages on mitre.org annyoing, giving no
>> real information, only meta-information which is again just vendor stuff
>> without code.
>
> CVE is not a database, it's a dictionary. If you are looking into more
> information on vulnerabilities please use either Symantec's Bugtraq, ISS's
> Xforce or NIST's ICAT. The first two are cross-referenced with CVE, the
> last one has CVE references and is freely downloadable.
Thank you, I found it extremely difficult (as someone who follows their
own upstream, but not security-related mailinglists) to find ressources
of information. Currently, the CVE IDs are often used to indicate which
issue is talked about (like in the original mail from the
secure-testing-team), but e.g. for CAN-2005-0206 there are no
cross-references except the RedHat and Mandrake advisories, which aren't
too helpful, either.
So I checked the bugtraq list at http://marc.theaimsgroup.com/, but
again these are only security advisories by vendors, not actually
information about patches, right? And vendors often just link to the
CVE...
The Xforce link you gave is a little more helpful to me; but the best I
found (and remembered to have seen before...) was the iDefense page I
found linked from Xforce:
http://www.idefense.com/application/poi/display?type=vulnerabilities
(Unfortunately, there's nothing there about CAN-2005-0206).
As for NIST's ICAT - what is freeyl downloadable there? Again, I only
found references to vendor advisories, no patches.
Specifically, on all those pages I couldn't find anything about the
differences between CAN-2004-0888 and CAN-2004-0889.
If you keep me (or debian-tetex-maint) in the Cc, I'll happily write a
patch for the Developer's Reference about security ressources.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: