[Secure-testing-team] Security update for fuse

Micah Anderson micah at riseup.net
Sun Jun 19 15:35:51 UTC 2005 

Moritz Muehlenhoff schrieb am Saturday, den 18. June 2005:

> Joey Hess wrote:
> > Moritz Muehlenhoff wrote:

> Ok, what about this:
> 
> CAN-2005-XXXX [buffer overflow in foo]
>         - foo 3.1.4
> 
> CAN-2005-XXXX [foo is DoSable when used in full moon and it's PID is a mersenne prime]
>         _ foo 3.1.4

To clarify, you are suggesting that we use the '-' character for
medium/normal priority items, the '_' character for low/rare priority
items.

> CAN-2005-XXXX [remote root exploit in foo]
>         ^ foo 3.1.4

and '^' for high priority itmes, am I reading that correctly?

> And it would be nice if our provisional vulnerability summaries were overwritten
> with MITRE's once this are issued, right now the script doesn't touch these.

Do you have ideas of how to do that? It seems like a difficult problem
and would always require manual cross-referencing, unless I am
misunderstanding what you are referring to.

> > Anyway, an experimental apt repo for this is easy enough to set up. I
> > wonder where we should mail the announcements? 
> 
> What about an additional Alioth ML for now? If it works out after the experimental
> phase it can still be promoted to a regular d.o list.

We can setup apt repositories and mailing lists on alioth, although
such repositories seem pretty ad-hoc. What about something on
debian.net?

> > Couldn't we just get a pipe to mitre and submit those? I assume we have
> > other data sources for them that mitre could point to, such as the
> > debian BTS.
> 
> I just asked the security team for a CVE ID for an issue not present in Woody
> and Joey told me that they don't assign IDs to such issues, only if it were
> present in another vendor's product.
> I'll check which conditions would be required to assign IDs for these as well.

Are you checking with MITRE about this? If so, I think others should
not attempt communication with them. I think that if we do approach
MITRE it should be through one person and not have multiple people
speaking with them. Having one person (and a backup) as someone that
they expect communications from seems like it would increase our
chances of success with them. I'd be happy to help with being a
liason/interface with them.

micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050619/4e9fe34c/attachment.pgp

More information about the Secure-testing-team mailing list