| From: | Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Release of CVEs |
| Date: | 2015-10-14 05:41:40 |
| Message-ID: | 561DEB14.5000104@archidevsys.co.nz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 14/10/15 18:19, Tom Lane wrote:
> I wrote:
>> Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
>>> On Mon, Oct 12, 2015 at 2:54 AM, Josh Berkus wrote:
>>>> I don't know that there's anything the PostgreSQL project can do about
>>>> it. If anyone on this list is connected with MITRE, please ask them
>>>> what they need to be more prompt.
>>> http://cve.mitre.org/ has a "Contact Us" tab linking to the address I
>>> mentioned. That may be a start as at this state this is far more than
>>> 6 weeks.
>> I'm inclined to start by asking the Red Hat security guys, from whom
>> we obtained all these CVE numbers to begin with. Will check into it
>> tomorrow.
> According to the Red Hat guys, the fundamental problem is that Mitre like
> to research and write up the official CVE descriptions themselves ...
> which would be fine if they had adequate resources to do it in a timely
> fashion, but they don't really. Apparently, most of our bugs are of low
> enough severity to be way down their priority list. (Maybe we should
> consider that a good thing.)
>
> However, Red Hat did also point out a possible alternative: instead of
> linking to the Mitre website, we could link to Red Hat's own repository
> of CVE descriptions at
> https://access.redhat.com/security/cve/
> for example
> https://access.redhat.com/security/cve/CVE-2015-5289
>
> This is not as unofficial as it might seem, because for several years now
> Mitre has officially delegated responsibility for initial assignment of
> CVE numbers for all open-source issues to Red Hat. (It's just final
> wording of the descriptions that they're insisting on doing themselves.)
>
> A quick browse through some of the relevant items says that this is at
> least as good as cve.mitre.org in terms of the descriptions of the
> security issues, but it is a bit Red-Hat-centric in that there's info
> about which Red Hat package releases include a fix, but not about package
> releases from other vendors such as Ubuntu.
>
> As a former wearer of the red fedora, I'm not going to pretend to have
> an unbiased opinion on whether we should switch our security-page links
> to point to Red Hat's entries instead of Mitre's. But it's something
> worth considering, given that we're seeing as much as a year's lag in
> Mitre's pages.
>
> regards, tom lane
>
>
Would be be possibly to link to the Red Hat pages, and (at least semi)
automate their replacement by the official pages when they become available?
Cheers,
Gavin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro HORIGUCHI | 2015-10-14 06:06:30 | Re: PATCH: index-only scans with partial indexes |
| Previous Message | Amit Kapila | 2015-10-14 05:38:37 | Re: Dangling Client Backend Process |