Re: Release of CVEs
| От | Gavin Flower |
|---|---|
| Тема | Re: Release of CVEs |
| Дата | |
| Msg-id | 561DEB14.5000104@archidevsys.co.nz обсуждение исходный текст |
| Ответ на | Re: Release of CVEs (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On 14/10/15 18:19, Tom Lane wrote: > I wrote: >> Michael Paquier <michael.paquier@gmail.com> writes: >>> On Mon, Oct 12, 2015 at 2:54 AM, Josh Berkus wrote: >>>> I don't know that there's anything the PostgreSQL project can do about >>>> it. If anyone on this list is connected with MITRE, please ask them >>>> what they need to be more prompt. >>> http://cve.mitre.org/ has a "Contact Us" tab linking to the address I >>> mentioned. That may be a start as at this state this is far more than >>> 6 weeks. >> I'm inclined to start by asking the Red Hat security guys, from whom >> we obtained all these CVE numbers to begin with. Will check into it >> tomorrow. > According to the Red Hat guys, the fundamental problem is that Mitre like > to research and write up the official CVE descriptions themselves ... > which would be fine if they had adequate resources to do it in a timely > fashion, but they don't really. Apparently, most of our bugs are of low > enough severity to be way down their priority list. (Maybe we should > consider that a good thing.) > > However, Red Hat did also point out a possible alternative: instead of > linking to the Mitre website, we could link to Red Hat's own repository > of CVE descriptions at > https://access.redhat.com/security/cve/ > for example > https://access.redhat.com/security/cve/CVE-2015-5289 > > This is not as unofficial as it might seem, because for several years now > Mitre has officially delegated responsibility for initial assignment of > CVE numbers for all open-source issues to Red Hat. (It's just final > wording of the descriptions that they're insisting on doing themselves.) > > A quick browse through some of the relevant items says that this is at > least as good as cve.mitre.org in terms of the descriptions of the > security issues, but it is a bit Red-Hat-centric in that there's info > about which Red Hat package releases include a fix, but not about package > releases from other vendors such as Ubuntu. > > As a former wearer of the red fedora, I'm not going to pretend to have > an unbiased opinion on whether we should switch our security-page links > to point to Red Hat's entries instead of Mitre's. But it's something > worth considering, given that we're seeing as much as a year's lag in > Mitre's pages. > > regards, tom lane > > Would be be possibly to link to the Red Hat pages, and (at least semi) automate their replacement by the official pages when they become available? Cheers, Gavin
В списке pgsql-hackers по дате отправления: