Re: [arch-security] Division of Labor
I also think we need a system to track which CVEs have been dealt with.
How about a wiki page with a table (per month?) with the following columns:
CVE Id Package/version Date public Update/Bug (upstream version with fix or bug report number with patch) Fixed version Time vulnerable (for interest!)
Allan
I just created a page to track CVE for 2014 (if it gets too long, we will split it later) : https://wiki.archlinux.org/index.php/CVE-2014 It's basically a table wth the following columns for each CVE : CVE-id Package/version Date public Update/Bug (upstream version with fix or bug report number with patch) Fixed version Time vulnerable (for interest!) As you might see, any wikitext ninja is welcome to improve the table ;) I will add some links later : CVE -ids linked to Mitre Package name linked to the good page FS# linked to the bug report I filled it with the content of the file I used on my laptop to keep track of CVE to see how it looks like with real content. There is CVE with the time vulnerable field filled with "??", it means that I didn't take time to check it, it's easy work for anybody willing to gets his hands dirty with CVE management. RbN
On 14/03/14 07:20, RbN wrote:
I also think we need a system to track which CVEs have been dealt with.
How about a wiki page with a table (per month?) with the following columns:
CVE Id Package/version Date public Update/Bug (upstream version with fix or bug report number with patch) Fixed version Time vulnerable (for interest!)
Allan
I just created a page to track CVE for 2014 (if it gets too long, we will split it later) : https://wiki.archlinux.org/index.php/CVE-2014
It's basically a table wth the following columns for each CVE : CVE-id Package/version Date public Update/Bug (upstream version with fix or bug report number with patch) Fixed version Time vulnerable (for interest!)
As you might see, any wikitext ninja is welcome to improve the table ;)
I will add some links later : CVE -ids linked to Mitre Package name linked to the good page FS# linked to the bug report
I filled it with the content of the file I used on my laptop to keep track of CVE to see how it looks like with real content.
There is CVE with the time vulnerable field filled with "??", it means that I didn't take time to check it, it's easy work for anybody willing to gets his hands dirty with CVE management.
Great! The time was more of interest to me so we could track how well we were doing with this. Allan
I just created a page to track CVE for 2014 (if it gets too long, we will split it later) : https://wiki.archlinux.org/index.php/CVE-2014
I've add a column 'status' to quickly know the status of the vulnerability. I also would like to see every CVE monitored in the table (even those Arch is not vulnerable to), to be able to quickly know if someone else took care of checking of Arch was vulnerable or not. So if you are a member of the CVE monitoring team, please fill the table with every CVE you deal with. If you are a dev, that would be nice of you to do the same when you a updating a package and the related changelog is mentioning some CVE. The only aim of that is to keep track of every CVE and to know if someone else already took care of it and thus, not spend time for nothing. Thanks RbN
participants (2)
-
Allan McRae
-
RbN