Thanks, RbN.

I just posted a link to the wiki page.  Parts of your email were indispensable in its creation. 

Again, many thanks.

BW

------------------------------------------[00(01|10)11]-----------------------------------------

Billy Wayne McCann, Ph.D.
Google+
PGP Key
irc://irc.freenode.net:bwayne

MzM0LTcwMy0wMTIyCg== | base64 -d


"A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)

------------------------------------------[11(10|01)00]------------------------------------------


On Tue, Mar 11, 2014 at 3:56 PM, RbN <r.b.n@riseup.net> wrote:
Hello,

A message to give some hints and links to look more efficiently for security
issues and CVE.

Some mailing lists :
* oss-sec
        main list dealing with security of free software, a lot of CVE
        attributions happen here, required if you wish to follow security news.
        * info: http://oss-security.openwall.org/wiki/mailing-lists/oss-security
        * subscribe: oss-security-subscribe(at)lists.openwall.com
        * archive: http://www.openwall.com/lists/oss-security/
* bugtraq
        a full disclosure moderated mailing list (noisy)
        * info: http://www.securityfocus.com/archive/1/description
        * subscribe: bugtraq-subscribe(at)securityfocus.com
* full-disclosure
        another full-disclosure mailing-list (noisy)
        * info: http://lists.grok.org.uk/full-disclosure-charter.html
        * subscribe: full-disclosure-request(at)lists.grok.org.uk
You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc.

Resources of other distributions (to look for CVE, patch, comments etc.):
*RedHat and Fedora:
        * rss advisories:
https://admin.fedoraproject.org/updates/rss/rss2.0?type=security
        * CVE tracker: https://access.redhat.com/security/cve/<CVE-id>
        * bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id>
Ubuntu:
        * advisories: http://www.ubuntu.com/usn/atom.xml
        * CVE tracker: http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id>
        * database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
Debian:
        * CVE tracker: http://security-tracker.debian.org/tracker/<CVE-id>
        * patch-tracker: http://patch-tracker.debian.org/
        * database: http://anonscm.debian.org/viewvc/secure-testing/data/
OpenSUSE:
        * CVE tracker: http://support.novell.com/security/cve/<CVE-id>.html


Mitre and NVD links for CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-id>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-id>
NVD and Mitre do not necessarily fill their CVE entry immediately after
attribution, so it's not always relevant for us.
The CVE-id and the "Date Entry Created" fields do not have particular meaning.
CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE
blocks from Mitre when needed/asked, so the CVE ID is not linked to the
attribution date. The "Date Entry Created" field often only indicates when the
CVE block was given to the CNA, nothing more.

Linux Weekly News:
LWN provides a daily notice of security updates for various distributions,
sometimes very usefull: http://lwn.net/headlines/newrss
This might be very handy to check if we miss something.

If you need more, check the openwall wiki:
http://oss-security.openwall.org/wiki/


RbN

_______________________________________________
arch-security mailing list
arch-security@archlinux.org
https://mailman.archlinux.org/mailman/listinfo/arch-security