Hello, A message to give some hints and links to look more efficiently for security issues and CVE. Some mailing lists : * oss-sec main list dealing with security of free software, a lot of CVE attributions happen here, required if you wish to follow security news. * info: http://oss-security.openwall.org/wiki/mailing-lists/oss-security * subscribe: oss-security-subscribe(at)lists.openwall.com * archive: http://www.openwall.com/lists/oss-security/ * bugtraq a full disclosure moderated mailing list (noisy) * info: http://www.securityfocus.com/archive/1/description * subscribe: bugtraq-subscribe(at)securityfocus.com * full-disclosure another full-disclosure mailing-list (noisy) * info: http://lists.grok.org.uk/full-disclosure-charter.html * subscribe: full-disclosure-request(at)lists.grok.org.uk You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc. Resources of other distributions (to look for CVE, patch, comments etc.): *RedHat and Fedora: * rss advisories: https://admin.fedoraproject.org/updates/rss/rss2.0?type=security * CVE tracker: https://access.redhat.com/security/cve/<CVE-id> * bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id> Ubuntu: * advisories: http://www.ubuntu.com/usn/atom.xml * CVE tracker: http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id> * database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master Debian: * CVE tracker: http://security-tracker.debian.org/tracker/<CVE-id> * patch-tracker: http://patch-tracker.debian.org/ * database: http://anonscm.debian.org/viewvc/secure-testing/data/ OpenSUSE: * CVE tracker: http://support.novell.com/security/cve/<CVE-id>.html Mitre and NVD links for CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-id> http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-id> NVD and Mitre do not necessarily fill their CVE entry immediately after attribution, so it's not always relevant for us. The CVE-id and the "Date Entry Created" fields do not have particular meaning. CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE blocks from Mitre when needed/asked, so the CVE ID is not linked to the attribution date. The "Date Entry Created" field often only indicates when the CVE block was given to the CNA, nothing more. Linux Weekly News: LWN provides a daily notice of security updates for various distributions, sometimes very usefull: http://lwn.net/headlines/newrss This might be very handy to check if we miss something. If you need more, check the openwall wiki: http://oss-security.openwall.org/wiki/ RbN