[arch-security] Security-related ressources

RbN r.b.n at riseup.net
Tue Mar 11 15:56:32 EDT 2014


Hello,

A message to give some hints and links to look more efficiently for security 
issues and CVE.

Some mailing lists :
* oss-sec
        main list dealing with security of free software, a lot of CVE                          
        attributions happen here, required if you wish to follow security news.
        * info: http://oss-security.openwall.org/wiki/mailing-lists/oss-security
        * subscribe: oss-security-subscribe(at)lists.openwall.com
        * archive: http://www.openwall.com/lists/oss-security/
* bugtraq
        a full disclosure moderated mailing list (noisy)
        * info: http://www.securityfocus.com/archive/1/description
        * subscribe: bugtraq-subscribe(at)securityfocus.com
* full-disclosure
        another full-disclosure mailing-list (noisy)
        * info: http://lists.grok.org.uk/full-disclosure-charter.html
        * subscribe: full-disclosure-request(at)lists.grok.org.uk
You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc.

Resources of other distributions (to look for CVE, patch, comments etc.):
*RedHat and Fedora:
        * rss advisories: 
https://admin.fedoraproject.org/updates/rss/rss2.0?type=security
        * CVE tracker: https://access.redhat.com/security/cve/<CVE-id>
        * bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id>
Ubuntu:
        * advisories: http://www.ubuntu.com/usn/atom.xml
        * CVE tracker: http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id> 
        * database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
Debian:
        * CVE tracker: http://security-tracker.debian.org/tracker/<CVE-id>
        * patch-tracker: http://patch-tracker.debian.org/
        * database: http://anonscm.debian.org/viewvc/secure-testing/data/
OpenSUSE:
        * CVE tracker: http://support.novell.com/security/cve/<CVE-id>.html


Mitre and NVD links for CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-id>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-id>
NVD and Mitre do not necessarily fill their CVE entry immediately after 
attribution, so it's not always relevant for us.
The CVE-id and the "Date Entry Created" fields do not have particular meaning. 
CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE 
blocks from Mitre when needed/asked, so the CVE ID is not linked to the 
attribution date. The "Date Entry Created" field often only indicates when the 
CVE block was given to the CNA, nothing more.

Linux Weekly News:
LWN provides a daily notice of security updates for various distributions, 
sometimes very usefull: http://lwn.net/headlines/newrss
This might be very handy to check if we miss something.

If you need more, check the openwall wiki: 
http://oss-security.openwall.org/wiki/


RbN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140311/acdb732a/attachment.asc>


More information about the arch-security mailing list