Petter Reinholdtsen
2011-Feb-04 10:43 UTC
[Secure-testing-team] What is the policy on registering CVEs for security issues in Debian?
I notice quite a lot of security issues from the previous years listed
in the Debian CVE database are still not assigned CVEs:
% grep XXXX data/CVE/list |cut -d- -f2|sort|uniq -c
1 1999
2 2001
4 2002
3 2003
6 2004
101 2005
54 2006
50 2007
32 2008
73 2009
65 2010
9 2011
%
What is the policy regarding CVE assignment for the Debian Testing
security work?
Happy hacking,
--
Petter Reinholdtsen
Michael Gilbert
2011-Feb-04 16:01 UTC
[Secure-testing-team] What is the policy on registering CVEs for security issues in Debian?
On Fri, 04 Feb 2011 11:43:56 +0100, Petter Reinholdtsen wrote:> > I notice quite a lot of security issues from the previous years listed > in the Debian CVE database are still not assigned CVEs: > > % grep XXXX data/CVE/list |cut -d- -f2|sort|uniq -c > 1 1999 > 2 2001 > 4 2002 > 3 2003 > 6 2004 > 101 2005 > 54 2006 > 50 2007 > 32 2008 > 73 2009 > 65 2010 > 9 2011 > % > > What is the policy regarding CVE assignment for the Debian Testing > security work?Theoretically, someone should be asking for assignments on oss-sec for all of these, but the time commitment is large (since one would need to understand the details of each issue before asking) and most of the issues are minor. With that said, I think it would be very useful to get those issues on the radar of other distros. Ultimately, its just the right thing to do, but someone has to be willing to volunteer to do the (rather unrewarding) work. Best wishes, Mike