[Secure-testing-team] Re: [Secure-testing-commits] r3023 -
data/CVE
Florian Weimer
fw at deneb.enyo.de
Mon Dec 19 11:53:24 UTC 2005
* Moritz Muehlenhoff:
> Florian Weimer wrote:
>> * Moritz Muehlenhoff:
>>
>> > +CVE-2005-XXXX [Another fib_lookup DoS]
>> > + - linux-2.6 <unfixed>
>> > +CVE-2005-XXXX [DoS in i82365 driver]
>> > + - linux-2.6 <unfixed>
>>
>> Would it be possible to add a cross-reference in such cases,
>> preferably to MARC, or a bug number? Otherwise, it's hard to figure
>> out which issue it is.
>
> The kernel is a bit special, because issues are frequent, upstream
> information policy is vague and fixes need to be applied to a
> plethora of Woody, Sarge and sid kernels.
I'm aware of the problems. 8-]
The trouble with the above two entries is that they provide so little
information. Maybe you could add an URL: tag, something like this?
CVE-2005-XXXX [Another fib_lookup DoS]
URL: http://svn.debian.org/wsvn/kernel/patch-tracking/...
URL: http://marc.theaimsgroup.com/?m=...
Anything which would be helpful in identifying the issue would help.
Otherwise, only you can merge it with the CVE entry when the CVE name
is assigned.
If this is too much work, I'm not sure if it makes sense to add these
entries before a CVE is assigned.
> Thus, most kernel tracking is now done in the Subversion repo of the
> kernel team (in the patchtracking/ directory).
That is <http://svn.debian.org/wsvn/kernel/patch-tracking/>, but I
can't find the two issues over there.
More information about the Secure-testing-team
mailing list