Merging Core and Extras affecting security updates
Mark J Cox
mjc at redhat.com
Tue Jan 16 22:01:11 UTC 2007
> I would love to see something like this, but sadly there isn't a nice
> automated way to match a CVE id to a given package. I'd gladly hear ideas
> on how to do this.
NVD try to do this when they create their entries based on CVE (usually
they manage this before the CVE site gets updated, but after the CVENEW
mails come out). They map each vuln to a product dictionary which we
could map to package name, but it'll miss those cases where a
vulnerability gets reported for something that affects multiple products
(like some flaw being labelled as an Apple flaw when in fact it's in
xpdf), or where things affect multiple products (a xpdf issue affects many
open source projects).
example from
http://nvd.nist.gov/download/nvdcve-recent.xml
<vuln_soft>
<prod name="slocate" vendor="slocate">
<vers num="3.1"/>
</prod>
</vuln_soft>
Mark
More information about the Fedora-security-list
mailing list