[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Buffer Overflow in raptor widely unfixed in Linux distros
From:       Sam James <sam () gentoo ! org>
Date:       2020-11-16 19:49:01
Message-ID: 379461F4-66C3-4EAF-A762-BB3C14B9152F () gentoo ! org
[Download RAW message or body]



> On 16 Nov 2020, at 19:06, Marius Bakke <marius@gnu.org> wrote:
> 
> "David A. Wheeler" <dwheeler@dwheeler.com> writes:
> 
> > If you think that CVE assignment is still of "fluctuating reliability" I'd like \
> > to hear that argument and get it fixed. It's normally better to fix the standard \
> > process for doing something than to create yet another process that runs in \
> > parallel. I've seen no recent evidence of this reliability issue.
> 
> Speaking as a co-maintainer of an understaffed GNU/Linux distribution
> who fixed this back in 2017[0], I preferred the "old days" when free
> software security problems were almost always discussed on this list.
> 
> While there's no questioning the utility of CVEs in general (Guix can
> check the CVE list for any given package with 'guix lint -c cve PKG'),
> there are still unresolved CPE mappings, and I don't know how to get
> informed of new problems without checking specific (or all) packages.
> 
> I tried following the CVE assignment RSS feed initially, but it was not
> suitable for human consumption.
> 

I share the same problems.

We've taken to a mix in Gentoo:

1) Automated import of RSS feeds (but this isn't that fit for human consumption, \
especially with the large dumps of various corporate appliance CVEs every so often);

2) I maintain a list of announcement mailing lists to read: \
https://wiki.gentoo.org/wiki/User:Sam/Security/Release_announcements. I skim \
announcements for security-related notes. But this doesn't help if upstream is \
inactive;

3) I subscribe to *other* distros' security announcement mailing lists to help reduce \
the chance of missing anything;

4) I check the Twitter @CVENew feed ~regularly;

5) Repology (https://repology.org/) has the ability to say if it thinks a package is \
vulnerable. It's not 100% accurate (it can't be), but it helps;

6) Of course, subscribe to this list (and linux-distros);

7) Subscribe to other security-related mailing lists like fulldisclosure.

There's probably some other ways that I'm not thinking of right now. I'm still \
relatively new to the game so any tips are really welcome too.

> How do other distros keep up with new CVE assignments?
> 
> [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=099c9fdae623e06e4fded8b0d4e55d9d5b56715b
> 


[prev in list] [next in list] [prev in thread] [next in thread]