[arch-security] Security-related ressources
RbN
r.b.n at riseup.net
Tue Mar 11 15:56:32 EDT 2014
Hello,
A message to give some hints and links to look more efficiently for security
issues and CVE.
Some mailing lists :
* oss-sec
main list dealing with security of free software, a lot of CVE
attributions happen here, required if you wish to follow security news.
* info: http://oss-security.openwall.org/wiki/mailing-lists/oss-security
* subscribe: oss-security-subscribe(at)lists.openwall.com
* archive: http://www.openwall.com/lists/oss-security/
* bugtraq
a full disclosure moderated mailing list (noisy)
* info: http://www.securityfocus.com/archive/1/description
* subscribe: bugtraq-subscribe(at)securityfocus.com
* full-disclosure
another full-disclosure mailing-list (noisy)
* info: http://lists.grok.org.uk/full-disclosure-charter.html
* subscribe: full-disclosure-request(at)lists.grok.org.uk
You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc.
Resources of other distributions (to look for CVE, patch, comments etc.):
*RedHat and Fedora:
* rss advisories:
https://admin.fedoraproject.org/updates/rss/rss2.0?type=security
* CVE tracker: https://access.redhat.com/security/cve/<CVE-id>
* bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id>
Ubuntu:
* advisories: http://www.ubuntu.com/usn/atom.xml
* CVE tracker: http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id>
* database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
Debian:
* CVE tracker: http://security-tracker.debian.org/tracker/<CVE-id>
* patch-tracker: http://patch-tracker.debian.org/
* database: http://anonscm.debian.org/viewvc/secure-testing/data/
OpenSUSE:
* CVE tracker: http://support.novell.com/security/cve/<CVE-id>.html
Mitre and NVD links for CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-id>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-id>
NVD and Mitre do not necessarily fill their CVE entry immediately after
attribution, so it's not always relevant for us.
The CVE-id and the "Date Entry Created" fields do not have particular meaning.
CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE
blocks from Mitre when needed/asked, so the CVE ID is not linked to the
attribution date. The "Date Entry Created" field often only indicates when the
CVE block was given to the CNA, nothing more.
Linux Weekly News:
LWN provides a daily notice of security updates for various distributions,
sometimes very usefull: http://lwn.net/headlines/newrss
This might be very handy to check if we miss something.
If you need more, check the openwall wiki:
http://oss-security.openwall.org/wiki/
RbN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140311/acdb732a/attachment.asc>
More information about the arch-security
mailing list