Florian Weimer wrote: > * Raphael Geissert: > >> If that's not desirable, maybe a concept of "HINT"s could be introduced, >> where the script that updates the CVE/list file from the CVE db >> automatically adds HINTs of possibly affected packages based on the >> embedded-code-copies files, the technique used by the check-new-issues >> (apt-cache search), and a simple file that could be used to associate >> full project names with a package name (say "Alvaro's Messenger" with >> "amsn"). > > NVD does some of that already. For an example, see "Vulnerable > software and versions" under: > > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1895> > > There are quite a few CPE names already: <http://nvd.nist.gov/cpe.cfm> > > If that data is reasonably current (it's also available over XML), we > could generate (PTS) alerts based on that. The advantage is that CPE > is normalized, while CVE descriptions aren't (I tried to build a Naive > Bayesian classifier once, but it did not work that well).
It might be worth taking a looking at it, but I expect we will still need some sort of mapping between the CPE names and the Debian packages names. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
