Hi, it has come to my attention that there seems to be a common misunderstanding on how we check new issues popping up.
The most recent example of this is the handling of CVE-2008-6792. I really don't want to blame anyone as this seems to be a misunderstanding, so don't get this mail wrong. If you commit to the security tracker and triaged a security issue, make sure that your commit data is not based on the CVE id description but on _research_. This research includes reading the code, finding fixes/commits in the upstream repository or even write patches yourself if you have the time to do that. If you can't assure that please add a TODO entry reflecting what is missing from your research. This is absolutely necessary to prevent integrating false-positives or otherwise incorrect data in the security tracker. People and especially the stable security team losely bases (depending on the versions used in the distribution) its decisions regarding stable security updates on this data and a lot people require this data to be correct (e.g. debsecan). This also means that if the CVE id says that something is vulnerable prior to version X you need to check if that is the case as well as for the information given on distro-specific issues. Always make sure you understand the issue and are able to verify the information is correct. While mitre tries to do their best on the issues there is often something fishy with the descriptions, missing references etc. If you are aware of an error, please also contact mitre (or even better, write a mail to oss-sec). I know this is a lot more work but this is necessary to make sure we are not getting replaced by a small shell script. Thanks for your attention! ;-P Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpBeiFh1fZd4.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
