Dmitry, I believe the following will help. https://access.redhat.com/security/cve/
I was able to find the CVE you mentioned. https://access.redhat.com/security/cve/CVE-2009-3094 HTHs, ~rp On 06/13/2012 11:11 AM, Dmitry Makovey wrote:
Hi everybody, Background: we're currently going through external security audit and it's report enumerates things in CVE terms which paints things very "black-and-white" - they rely on reported package versions vs. actual vulnerabilities. To address this I have created a tool: https://github.com/droopy4096/rhsa_cve/blob/master/rhsa_cve/rhsa_cve_check.py what it does is it fetches RHSA mapped to CVE, CPE dictionary and CVE databases from RedHat and Mitre. Problem: Working on above tool I hav erealized that mappings are "fuzzy" to generate reliable report. Example: CVE-2009-3094 maps to RHSA-2009:1580,RHSA-2010:0602,RHSA-2009:1579,RHSA-2010:0011,RHSA-2009:1461 Now here's the trick - using RHSA data above I end up with packages like postgresql* in the mix where CVE-2009-3094 specifically refers to a single package - httpd (except it can't be reliably extracted from any of the official sources as far as I can tell) The whole purpose of above is to get CVE information, find out which packages need to be verified, then generate the script that can be ran on a machine checking whether CVE is listed in the changelog as a confirmation that issue has been addressed (even though package version has not changed). Question: Is there a better way of mapping CVE to RHSA/packages? How are others dealing with similar situation? Manual response (esp. that every audit comes up with repeats of CVE's we have appealed on the last round) doesn't seem feasible. We have increased number of external audits as well so Crafting response to each one becomes burdensome.
-- +-----------------------------[ [email protected] ]----+ | Robin Price II - RHCE,RHCDS,RHCVA | | Solutions Architect - Public Sector | | Red Hat, Inc. | | w: +1 (919) 754 4412 | | c: +1 (252) 474 3525 | | @robinpriceii | +---------[ http://people.redhat.com/rprice ]---------+ -- redhat-sysadmin-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
