On Sat, 09 May 2009 17:55:48 +0200 Florian Weimer wrote: > <http://lists.alioth.debian.org/pipermail/secure-testing-team/2005-October/000508.html> > > There's even a follow-up which mentions FIXED-BY for unnamed issues.
this seems like a very good idea, and could be implemented imediately with NOTEs (and without requiring any code changes). > When an issue is assigned a CVE, I suggest to add it after the CVE > name, preceded by a slash: > > CVE-2009-1572/70212 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier > allows remote ...) > > Before that, the entry would have looked like this: > > DVN-70212 [quagga: bgpd crash with AS paths containing 32-bit ASNs] this is a great idea and would be even better than FIXED-BY. it seems like a more rigorous solution. i would suggest keeping the full DVN name for completeness-sake (maybe reorder to illustrate that the DVN came before the CVE): DVN-70212/CVE-2009-1572 (The BGP daemon (bgpd) in Quagga 0.99.11 ... also, would it make sense to associate all CVEs with DVNs (a longer identifier may be required since there are already almost 40,000 CVEs already in the list)? perhaps this could be automatically added by the update scripts? mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
