[VIM] r0t on "bugtraqs @ all"
Mark J Cox
mjc at redhat.com
Tue Jun 20 03:49:47 EDT 2006
> CVE gets used in Red Hat advisories, for example. How is it usable to
> Red Hat consumers to have an advisory that has 70 CVE's in it when
> there's only one patch?
Since many enterprise Linux distributions do backporting it is important
to take into account the starting vulnerable version where that is
available; if vendors were backporting Ethereal security patches we'd be
vulnerable only to a subset of those 70 issues (and most likely a
different subset to each other vendor).
However Ethereal isn't a great example since Ethereal has so many issues
and it's quite self contained so backwards compatibility isn't essential,
all the vendors move to new upstream versions, mitigating this slightly.
The kernel is a good example though, where every enterprise vendor is
backporting a subset of issues that affect that version to their stable
base versions, where the base versions used by vendors are different.
That subset of issues fixed may be chosen due to the risk of each issue
(for example, an issue with a low security impact but requiring major code
changes may be deffered for a future update to allow it to gain more
So when we backport our internal processes benefit from splitting (and
having a consistant set of rules applied for that splitting), and it helps
our customers understand things too.
Perhaps the biggest downside of giving Ethereal 20/30/70 CVE names instead
of a couple is when sponsored researchers are writing reports comparing
operating systems based on open source (where lots of information is
available allowing those 20/30/70 names to be easily determined) against
closed source (where less information is available and so less CVE names
would be assigned due to lack of sufficient information). But really it's
these reports that are broken, not CVE.
More information about the VIM