On 7/11/07, Alec Berryman <[EMAIL PROTECTED]> wrote:
I can't speak for the security team, but the testing security team could always use more people doing what you apparently already do - determine which new CVEs affect Debian and find ways to get those issues fixed.
Actually I'm not currently following recent vulnerabilities, sorry... I just wanted to suggest a useful feature that could help others now and also myself in the future.
Much of the infrastructure you mentioned is already in place. The testing security team keeps a list of CVEs and short descriptions of how (if at all) each affects Debian as well as information like versions in which the issue is fixed, bug numbers, and severity indicators. It's kept in plain-text in a publicly-viewable svn repository, but there are other ways to view the information. At http://security-tracker.debian.net/ you can look up the status of different packages, CVEs, and security bug numbers. Also, the Debian Security Analyzer (package debsecan) will alert you to vulnerable packages on that system using the security-tracker data.
Thanks for the information, it's really helpful. -- Alexander -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
