Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Nov 2020 11:35:21 +0100
From: Morten Linderud <>
Cc: "David A. Wheeler" <>
Subject: Re: Buffer Overflow in raptor widely unfixed in Linux

On Mon, Nov 16, 2020 at 08:06:15PM +0100, Marius Bakke wrote:
> I tried following the CVE assignment RSS feed initially, but it was not
> suitable for human consumption.
> How do other distros keep up with new CVE assignments?

Depends. Commercial distributions like Ubuntu, SUSE or RedHat keeps up mostly(?)
fine by throwing money on the problem. The story is very different on volunteer

Arch Linux is unable to keep up.

Consuming the CVE feeds in any structured way takes quite a bit of effort, and
then you need the manpower to wade through the assignments. Even if you did
manage to do all this, there might not be a clear reference of the fix in
question. For all you know the assigned CVE is only for the vulnerability and
there is no fix written yet. You simply do not know.

For Arch Linux it's a manpower problem handling the CVEs and writing advisories
for the published packages, along with things sometimes not being very easy to
fix for package maintainers. It is very much a best effort basis.

Severe issues gets handled in a timely fashion, but it always depends on the
time available of the volunteers.

I think a lot can be solved with information sharing and better tooling. There
was an attempt to have an shared IRC channel for distribution security teams,
and I think initiatives like the OpenSSF vulnerability disclosure WG are
important for this.

Morten Linderud

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.