On Fri, Nov 25, 2005 at 07:30:12PM +0100, Magnus Hagander wrote:
> > > We really should write the CVE numbers into the commit messages and
> > > the release notes.
> >
> > I think that would be good.
>
> That requires the CVE number to be available at the time of commit. Not
> sure if it'll always be. But if it is, it's certainly a good idea to put
> it in.
I think that depends on who discovers it. CVEs are assigned even if
it's not clear that the vulnerability is exploitable. In anycase, some
distributors (like Debian) already track CVEs on your behalf. In
general they refer to the CVE when releasing fixes.
In any case, PostgreSQL already seems to have had 29 CVEs logged:
http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql
If you follow the links you can find all the vendor security notices.
In many cases they provide the link to the -announce or -committers
email.
If it's too much work for CORE, maybe someone could download that list
every now and then, verify they've been fixed and check it into the
tree somewhere under SECURITY or some such. If they could be linked to
commit message, all the better.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.