[arch-security] CVEs in Arch Linux (current, future tracking)
Levente Polyak
anthraxx at archlinux.org
Thu Apr 16 00:02:37 UTC 2015
On 04/16/2015 01:41 AM, Ikey Doherty wrote:
> To provide a shorter response: I'm in no way saying its the only
> tool to use, its just one part of a process. I'm also not saying
> we're going to rely solely on NVD in the future, hence my comment
> regarding "increase the amount of information", i.e. we would
> monitor multiple sources within cve-check-tool, and cve-check-tool
> is just one part of a set of tools.
>
> Regardless, this topic derailed quickly, I simply provided you
> with a means and a set of potential CVEs - my main interest is
> if someone intends to look into the patch naming situation.
> I don't use Arch Linux myself so wouldn't be the one to be
> able to implement it without assistance.
>
> - ikey
(Please always bottom-post)
I was just answering to all the information that you have posted in
reply, nothing more nothing less!
Also I already answered in a very positive way to your initial
questions: its a great tool and I want to integrate it as additional
source into the standard procedure for the security mitigation work we
do in Arch Linux, look at my very first answer!
Additionally I already provided some details on how you could improve
the pkgbuild CVE id matching in the short term, but I will repeat it:
- check CVE-ID is part of the *.patch filename at any position,
allowing arbitrary prefix and suffix
- also take into account that one patch filename may contain multiple
CVE IDs.
As I have already pointed out, I will also throw the patch-naming
situation into a discussion round (but can't yet promise anything). I
think I got all your initial points already and also offered and
provided assistance to those. ;-)
cheers
Levente
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150416/0ad60285/attachment.asc>
More information about the arch-security
mailing list