[Secure-testing-team] Re: xpdf vulnerability?

Frank Küster frank at kuesterei.ch
Tue Mar 22 13:01:37 UTC 2005 

[restricting Cc to the lists]

Javier Fernández-Sanguino Peña <jfs at computer.org> wrote:

> On Tue, Mar 22, 2005 at 11:57:01AM +0100, Frank Küster wrote:
>> 
>> Me neither.  I find these CVE pages on mitre.org annyoing, giving no
>> real information, only meta-information which is again just vendor stuff
>> without code.
>
> CVE is not a database, it's a dictionary. If you are looking into more 
> information on vulnerabilities please use either Symantec's Bugtraq, ISS's 
> Xforce or NIST's ICAT. The first two are cross-referenced with CVE, the 
> last one has CVE references and is freely downloadable.

Thank you, I found it extremely difficult (as someone who follows their
own upstream, but not security-related mailinglists) to find ressources
of information.  Currently, the CVE IDs are often used to indicate which
issue is talked about (like in the original mail from the
secure-testing-team), but e.g. for CAN-2005-0206 there are no
cross-references except the RedHat and Mandrake advisories, which aren't
too helpful, either.

So I checked the bugtraq list at http://marc.theaimsgroup.com/, but
again these are only security advisories by vendors, not actually
information about patches, right?  And vendors often just link to the
CVE... 

The Xforce link you gave is a little more helpful to me; but the best I
found (and remembered to have seen before...) was the iDefense page I
found linked from Xforce:

http://www.idefense.com/application/poi/display?type=vulnerabilities

(Unfortunately, there's nothing there about CAN-2005-0206). 

As for NIST's ICAT - what is freeyl downloadable there?  Again, I only
found references to vendor advisories, no patches.  

Specifically, on all those pages I couldn't find anything about the
differences between CAN-2004-0888 and CAN-2004-0889.

If you keep me (or debian-tetex-maint) in the Cc, I'll happily write a
patch for the Developer's Reference about security ressources.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

More information about the Secure-testing-team mailing list