I wrote: > Michael Paquier <michael.paqu...@gmail.com> writes: >> On Mon, Oct 12, 2015 at 2:54 AM, Josh Berkus wrote: >>> I don't know that there's anything the PostgreSQL project can do about >>> it. If anyone on this list is connected with MITRE, please ask them >>> what they need to be more prompt.
>> http://cve.mitre.org/ has a "Contact Us" tab linking to the address I >> mentioned. That may be a start as at this state this is far more than >> 6 weeks. > I'm inclined to start by asking the Red Hat security guys, from whom > we obtained all these CVE numbers to begin with. Will check into it > tomorrow. According to the Red Hat guys, the fundamental problem is that Mitre like to research and write up the official CVE descriptions themselves ... which would be fine if they had adequate resources to do it in a timely fashion, but they don't really. Apparently, most of our bugs are of low enough severity to be way down their priority list. (Maybe we should consider that a good thing.) However, Red Hat did also point out a possible alternative: instead of linking to the Mitre website, we could link to Red Hat's own repository of CVE descriptions at https://access.redhat.com/security/cve/ for example https://access.redhat.com/security/cve/CVE-2015-5289 This is not as unofficial as it might seem, because for several years now Mitre has officially delegated responsibility for initial assignment of CVE numbers for all open-source issues to Red Hat. (It's just final wording of the descriptions that they're insisting on doing themselves.) A quick browse through some of the relevant items says that this is at least as good as cve.mitre.org in terms of the descriptions of the security issues, but it is a bit Red-Hat-centric in that there's info about which Red Hat package releases include a fix, but not about package releases from other vendors such as Ubuntu. As a former wearer of the red fedora, I'm not going to pretend to have an unbiased opinion on whether we should switch our security-page links to point to Red Hat's entries instead of Mitre's. But it's something worth considering, given that we're seeing as much as a year's lag in Mitre's pages. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers