Hints for working with CVEs?
Josh Bressers
bressers at redhat.com
Fri May 5 17:42:53 UTC 2006
> Does anyone have any notes for dealing with the CVE lists? I know the
> main access page is http://www.cve.mitre.org/cve/, but all you can do
> is download the whole list or do a text search. (And the whole list
> in plain text is 15MB.) I see that someone at Purdue offers change
> lists, but the format is not terribly useful (just the numbers of the
> changed entries).
>
> Are there any tools that can extract useful summaries of this data
> that we could use? Even number and summary would be helpful.
>
> For example, I know there's a recent clamav vulnerability that affects
> Extras. Now, I can search to find out that it's CVE-2006-1989. I
> know Enrico pushed 0.88.2 on May 2 so we're not vulnerable.
>
> But, how would I have seen the CVE without knowing it existed? Click
> on every link in the daily changelogs and manually read the
> description? There has to be a more efficient way.
Nothing officially exists to do this. I've been meaning to write one for
quite some time. NIST has something similar to what you're looking for
here: http://nvd.nist.gov/
>
> BTW, what would be the format of the line to add to the fe4 and fe5
> files for this?
>
> CVE-2006-1989 version (clamav, fixed 0.88.2)
This is correct, yes.
--
JB
More information about the Fedora-security-list
mailing list