[Secure-testing-team] Vulnerabilities not affecting Debian: reporting proposal
Alexander Konovalenko
alexkon at gmail.com
Thu Jul 12 10:26:20 UTC 2007
On 7/11/07, Alec Berryman <alec at thened.net> wrote:
>
> I can't speak for the security team, but the testing security team could
> always use more people doing what you apparently already do - determine
> which new CVEs affect Debian and find ways to get those issues fixed.
Actually I'm not currently following recent vulnerabilities, sorry...
I just wanted to suggest a useful feature that could help others now
and also myself in the future.
> Much of the infrastructure you mentioned is already in place. The
> testing security team keeps a list of CVEs and short descriptions of how
> (if at all) each affects Debian as well as information like versions in
> which the issue is fixed, bug numbers, and severity indicators. It's
> kept in plain-text in a publicly-viewable svn repository, but there are
> other ways to view the information. At
> http://security-tracker.debian.net/ you can look up the status of
> different packages, CVEs, and security bug numbers. Also, the Debian
> Security Analyzer (package debsecan) will alert you to vulnerable
> packages on that system using the security-tracker data.
Thanks for the information, it's really helpful.
-- Alexander
More information about the Secure-testing-team
mailing list