> Does anyone have any notes for dealing with the CVE lists? I know the > main access page is http://www.cve.mitre.org/cve/, but all you can do > is download the whole list or do a text search. (And the whole list > in plain text is 15MB.) I see that someone at Purdue offers change > lists, but the format is not terribly useful (just the numbers of the > changed entries). > > Are there any tools that can extract useful summaries of this data > that we could use? Even number and summary would be helpful. > > For example, I know there's a recent clamav vulnerability that affects > Extras. Now, I can search to find out that it's CVE-2006-1989. I > know Enrico pushed 0.88.2 on May 2 so we're not vulnerable. > > But, how would I have seen the CVE without knowing it existed? Click > on every link in the daily changelogs and manually read the > description? There has to be a more efficient way. Nothing officially exists to do this. I've been meaning to write one for quite some time. NIST has something similar to what you're looking for here: http://nvd.nist.gov/ > > BTW, what would be the format of the line to add to the fe4 and fe5 > files for this? > > CVE-2006-1989 version (clamav, fixed 0.88.2) This is correct, yes. -- JB
