[Secure-testing-team] Security update for fuse
Steve Langasek
vorlon at debian.org
Fri Jun 17 23:33:00 UTC 2005
On Sat, Jun 18, 2005 at 12:37:24AM +0200, Moritz Muehlenhoff wrote:
> Joey Hess wrote:
> > > DTSA seem like a good idea. For the sake of consistency it seems like a good
> > > idea to issue them from the s-t team. When doing so we should talk to the MITRE
> > > people whether DTSAs would qualify as CVE data sources. There are currently
> > > 55 vulnerabilities tracked by us that haven't ever received a CVE assignment,
> > > some of which may as well be in other vendor's products. (MITRE may be only a
> > > dictionary, but in practice it's more).
> > Couldn't we just get a pipe to mitre and submit those? I assume we have
> > other data sources for them that mitre could point to, such as the
> > debian BTS.
> I just asked the security team for a CVE ID for an issue not present in Woody
> and Joey told me that they don't assign IDs to such issues, only if it were
> present in another vendor's product.
AFAIK, what this actually means is that the Debian security team will not
*request* a CVE ID for an issue not present in a stable release, and
therefore none will be assigned. I don't know of any explicit reason why
CVE IDs couldn't be issued for DTSAs, if the secure-testing team established
a relationship with MITRE.
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050617/a245a2b7/attachment.pgp
More information about the Secure-testing-team
mailing list