[Secure-testing-team] Assigning unique identifiers (CVE?)
Moritz Muehlenhoff
jmm at inutil.org
Tue Mar 7 11:51:25 UTC 2006
Florian Weimer wrote:
> We have a growing list of issues which have not yet received a proper
> unique identifier (this is related to Debian bug #352965). Addressing
> a few shortcomings in the current database scheme would be easier if I
> had a unique identifier for *every* issue.
>
> There are several approaches:
>
> * Use the description (in [brackets]) as the unqiue identifier. The
> downside is that we still won't have really stable identifiers for
> non-CVE issues.
I don't think we've ever changed a temporary description in brackets so
far, so that would be my preferred solution.
> * Assign Debian Vulnerability Names (DVNs) for issues which are too
> minor/obscure for CVE, based on a simple scheme which still needs
> to be developed.
Nothing is too minor for MITRE, it's just that someone need to push it
to them. But we should track this process in SVN, e.g. with a short file
who did it, when at and at what time we pinged them etc.
> * Get MITRE to train some more Debian people on CVE assignment, and
> use CVEs exclusively.
Not much training required, just compile the links and references and
send them, the more precise, the better.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list