[arch-security] CVEs in Arch Linux (current, future tracking)

Wed Apr 15 23:32:53 UTC 2015

> So cve-check-tool deals solely with non-embargoed CVEs, and as such
> the CVEs known to distributions are handled differently. An example
> of this is the recent openssl updates, whereby the CVE was marked
> as "reserved" for a fair amount of time. This is naturally because
> these are high publicity projects, and it gives everyone plenty of time to
> migrate.
>
> We've already got a few things being worked on at the moment to
> monitor these hi-p projects to increase the amount of information
> available to cve-check-tool at any one time.
>
> Note for relatively normal CVEs (99% of them) they appear rapidly
> within the DB, and we index/check every vuln from 2002 up to the
> current minute (NVD is resynced every 3-4hr)

No, its simply not true! It lacks behind often a lot, even for non
embargoed and publicly disclosed vulnerabilities which often even have
PoCs attached. Even for initially embargoed CVEs after the vendor
releases a own advisory its still unavailable after multiple months.

Most of the time if we write advisories for Arch Linux then we have to
point to Red-Hat or mitre as the NVD does not contain the CVE yet (and
most of the time that has nothing to do with embargoed CVEs like the
openssl case) as those were disclosed on public lists with full details
and CVE IDs were assigned by mitre.
During distribution level of mitigation we experience over and over
again that NVD is hanging behind for some non-embargoed CVEs for days,
weeks and sometimes moths.

You can check our CVE page [0] or the released advisories [1], if at the
point we write an advisory the NVD contains the CVE already, we are
always using that as a reference link. If its not available then we use
something different, please note how often some other links are used to
that particular point of time (also several of the non embargoed CVEs on
the CVE [0] page do *still* not have a association in NVD!

After a fast 5min search just to name some, which are disclosed for a
very long time and still have no entry in NVD:
- icecast: CVE-2015-3026
- tor: CVE-2015-2928 CVE-2015-2929
- musl: CVE-2015-1817
- webkitgtk: CVE-2015-2330
- sudo: CVE-2014-9680
- ntp: CVE-2014-9297 CVE-2014-9298
- postgresql: CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244

Don't get me wrong, your tool is great and useful, but trust me, only
monitoring NVD for a distribution level of mitigation is *very* far from
being optimal, enough or up-to-date (also when monitoring some of the
"hi-p projects"). Please don't take this as offense.

cheers,
Levente

[0] https://wiki.archlinux.org/index.php/CVE
[1] https://wiki.archlinux.org/index.php/Security_Advisories

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150416/22f14017/attachment.asc>