Date: Wed, 15 Mar 2017 14:47:45 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Dealing with CVEs that apply to unspecified package versions On Wed, Mar 15, 2017 at 2:05 PM, Leo Famulari <leo@...ulari.name> wrote: > On Wed, Mar 15, 2017 at 12:27:47PM -0700, Seth Arnold wrote: > > I suspect the solution is for people who rely upon these scanning tools > to > > do the leg work themselves on the packages they care about. (i.e., the > > packages that annoy them the most.) > > I think those of us who find these tools useful should work to improve > the CVE database by adding the "fixed-in-version" information as it > becomes available. > This is a major goal of 1) using the JSON format with richer data [a] 2) allowing other people (e.g. CVE Mentors) to edit the data [a] https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ