Date: Tue, 17 Nov 2020 11:35:21 +0100 From: Morten Linderud <foxboron@...hlinux.org> To: oss-security@...ts.openwall.com Cc: "David A. Wheeler" <dwheeler@...eeler.com> Subject: Re: Buffer Overflow in raptor widely unfixed in Linux distros On Mon, Nov 16, 2020 at 08:06:15PM +0100, Marius Bakke wrote: > I tried following the CVE assignment RSS feed initially, but it was not > suitable for human consumption. > > How do other distros keep up with new CVE assignments? Depends. Commercial distributions like Ubuntu, SUSE or RedHat keeps up mostly(?) fine by throwing money on the problem. The story is very different on volunteer distributions. Arch Linux is unable to keep up. Consuming the CVE feeds in any structured way takes quite a bit of effort, and then you need the manpower to wade through the assignments. Even if you did manage to do all this, there might not be a clear reference of the fix in question. For all you know the assigned CVE is only for the vulnerability and there is no fix written yet. You simply do not know. For Arch Linux it's a manpower problem handling the CVEs and writing advisories for the published packages, along with things sometimes not being very easy to fix for package maintainers. It is very much a best effort basis. Severe issues gets handled in a timely fashion, but it always depends on the time available of the volunteers. I think a lot can be solved with information sharing and better tooling. There was an attempt to have an shared IRC channel for distribution security teams, and I think initiatives like the OpenSSF vulnerability disclosure WG are important for this. https://github.com/ossf/wg-vulnerability-disclosures -- Morten Linderud PGP: 9C02FF419FECBE16
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.