[Secure-testing-team] What is the policy on registering CVEs for security issues in Debian?
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Feb 4 16:01:11 UTC 2011
On Fri, 04 Feb 2011 11:43:56 +0100, Petter Reinholdtsen wrote:
>
> I notice quite a lot of security issues from the previous years listed
> in the Debian CVE database are still not assigned CVEs:
>
> % grep XXXX data/CVE/list |cut -d- -f2|sort|uniq -c
> 1 1999
> 2 2001
> 4 2002
> 3 2003
> 6 2004
> 101 2005
> 54 2006
> 50 2007
> 32 2008
> 73 2009
> 65 2010
> 9 2011
> %
>
> What is the policy regarding CVE assignment for the Debian Testing
> security work?
Theoretically, someone should be asking for assignments on oss-sec for
all of these, but the time commitment is large (since one would need to
understand the details of each issue before asking) and most of the
issues are minor.
With that said, I think it would be very useful to get those issues on
the radar of other distros. Ultimately, its just the right thing to do,
but someone has to be willing to volunteer to do the (rather
unrewarding) work.
Best wishes,
Mike
More information about the Secure-testing-team
mailing list