Thread: Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

From
"Magnus Hagander"
Date:
> > We really should write the CVE numbers into the commit messages and
> > the release notes.
>
> I think that would be good.

That requires the CVE number to be available at the time of commit. Not
sure if it'll always be. But if it is, it's certainly a good idea to put
it in.

> > How about a simple webpage that has more or less a table with:
> > CVE-number  |   present in releases  |  fixed in releases
> > CVE-number  |   present in releases  |  fixed in releases
> > CVE-number  |   present in releases  |  fixed in releases
>
> ..and I think we should do this too.
>
> Have to say I'm a bit worried about overloading Tom and
> Bruce, who write most of the security patches and relevant
> release notes.
>
> Anybody else volunteer to maintain the web page?

While I think it would be a good idea for someone on -core to actually
be responsible for such a list, I can certainly create and maintain the
page. With our track record of security issues, it doesn't seem that it
should be all that much work...

//Magnus


Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

From
Martijn van Oosterhout
Date:
On Fri, Nov 25, 2005 at 07:30:12PM +0100, Magnus Hagander wrote:
> > > We really should write the CVE numbers into the commit messages and
> > > the release notes.
> >
> > I think that would be good.
>
> That requires the CVE number to be available at the time of commit. Not
> sure if it'll always be. But if it is, it's certainly a good idea to put
> it in.

I think that depends on who discovers it. CVEs are assigned even if
it's not clear that the vulnerability is exploitable. In anycase, some
distributors (like Debian) already track CVEs on your behalf. In
general they refer to the CVE when releasing fixes.

In any case, PostgreSQL already seems to have had 29 CVEs logged:

http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql

If you follow the links you can find all the vendor security notices.
In many cases they provide the link to the -announce or -committers
email.

If it's too much work for CORE, maybe someone could download that list
every now and then, verify they've been fixed and check it into the
tree somewhere under SECURITY or some such. If they could be linked to
commit message, all the better.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.