You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Mark J Cox <ma...@awe.com> on 2001/10/08 21:28:46 UTC
CVE dictionary
One of the problems with Apache security announcements is that you end up
getting listed everywhere from Bugtraq through SecurityFocus, Apache Week,
every Linux vendor eratta that includes Apache, and our own Announcements.
It's not obvious to the end user which of these issues are the same and
which are different as everyone of these places munges the description to
fit their own needs.
I've been working with the folks at Mitre CVE (cvs.mitre.org) who have a
neat solution to this, they assign candidate numbers to publically known
vulnerability descriptions so that they can be easily cross-referenced.
I've reserved three candidate names for security issues in the release of
Apache 1.3.21. [These names and the details will appear in their database
tommorrow].
I see this as a test run, we don't need to do it in the future if it
doesn't work out. It seems harmless to me.
I'll commit these names to the CHANGES and Announcement page before the
.22 tag, and let the Linux vendors know what to do with them.
Cheers,
Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Re: CVE dictionary
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Mon, Oct 08, 2001 at 08:28:46PM +0100, Mark J Cox wrote:
> I've been working with the folks at Mitre CVE (cvs.mitre.org) ...
Great reference. (needs to be cve.mitre.org though).
Cheers,
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
Re: CVE dictionary
Posted by Dirk-Willem van Gulik <di...@covalent.net>.
Good stuff ! Perfect solution !
Dw
On Mon, 8 Oct 2001, Mark J Cox wrote:
> One of the problems with Apache security announcements is that you end up
> getting listed everywhere from Bugtraq through SecurityFocus, Apache Week,
> every Linux vendor eratta that includes Apache, and our own Announcements.
> It's not obvious to the end user which of these issues are the same and
> which are different as everyone of these places munges the description to
> fit their own needs.
>
> I've been working with the folks at Mitre CVE (cvs.mitre.org) who have a
> neat solution to this, they assign candidate numbers to publically known
> vulnerability descriptions so that they can be easily cross-referenced.
> I've reserved three candidate names for security issues in the release of
> Apache 1.3.21. [These names and the details will appear in their database
> tommorrow].
>
> I see this as a test run, we don't need to do it in the future if it
> doesn't work out. It seems harmless to me.
>
> I'll commit these names to the CHANGES and Announcement page before the
> .22 tag, and let the Linux vendors know what to do with them.
>
> Cheers,
> Mark
> --
> Mark J Cox ........................................... www.awe.com/mark
> Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
>
>
>
>
>