Hi, On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > Just wondering if there is some other way we can track security issues > for when CVEs are not available. > > Thinking of imagemagick here, it has a lot of security issues, and > requests for CVEs are not getting any responses.
Creating individual bugs in the Debian BTS, including more details like fixing commits would be a great start, since we use either CVEs or references to the Debian BTS in DSAs (and DLAs). Furthermore the security-tracker handles both (you can actually search items there via either CVE id, bug number or package name). The original CVE request at http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not fully optimal, since it just pasted a collection of items. Adding references to fixing commits would have helped to get CVEs assigned to issues. The original request at least makes it really hard to identify the issues and make sure the CVEs are assigned correctly. Regards, Salvatore