[Secure-testing-team] Security update for fuse

Moritz Muehlenhoff jmm at inutil.org
Sun Jun 19 20:10:20 UTC 2005 

Micah Anderson wrote:
> > > Moritz Muehlenhoff wrote:
> 
> > Ok, what about this:
> > 
> > CAN-2005-XXXX [buffer overflow in foo]
> >         - foo 3.1.4
> > 
> > CAN-2005-XXXX [foo is DoSable when used in full moon and it's PID is a mersenne prime]
> >         _ foo 3.1.4
> 
> To clarify, you are suggesting that we use the '-' character for
> medium/normal priority items, the '_' character for low/rare priority
> items.

Yes.
 
> > CAN-2005-XXXX [remote root exploit in foo]
> >         ^ foo 3.1.4
> 
> and '^' for high priority itmes, am I reading that correctly?

Yup. 

> > And it would be nice if our provisional vulnerability summaries were overwritten
> > with MITRE's once this are issued, right now the script doesn't touch these.
> 
> Do you have ideas of how to do that? It seems like a difficult problem
> and would always require manual cross-referencing, unless I am
> misunderstanding what you are referring to.

Might have been a bit hard to understand; I refered to cases where the CAN ID is still
reserved, but information about a certain vulnerability has already been published,
e.g. CAN-2005-1858. Once the official description is out it would be nice if the provisional
one were overwritten, right now it's kept.

> We can setup apt repositories and mailing lists on alioth, although
> such repositories seem pretty ad-hoc. What about something on
> debian.net?

If it's no more difficult than Alioth, why not?
 
> > > Couldn't we just get a pipe to mitre and submit those? I assume we have
> > > other data sources for them that mitre could point to, such as the
> > > debian BTS.
> > 
> > I just asked the security team for a CVE ID for an issue not present in Woody
> > and Joey told me that they don't assign IDs to such issues, only if it were
> > present in another vendor's product.
> > I'll check which conditions would be required to assign IDs for these as well.
> 
> Are you checking with MITRE about this?

Yes, I've already send a mail, I'll tell what they are thinking once they replied.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list