On Tue, 4 Jan 2011 19:11:16 +1100 Silvio Cesare wrote: > I think RHEL maintains security tracking but I do not know the details. There are per-product errata listing pages available on Red Hat Network and can be accessed without having to log in via: https://rhn.redhat.com/errata/ You can also list all errata for specific CVE id by accessing URL as: https://rhn.redhat.com/errata/CVE-20XX-YYYY.html CVE pages aim to combine released errata info with additional info (bug link, impact rating and scoring, possible statements) at the single place: https://www.redhat.com/security/data/cve/ > Fedora as far as I know do not publicly and actively maintain > security tracking once an advisory is released. Bodhi search can be used to locate updates referencing specific CVE id, assuming it was assigned at the time update was released. E.g. example for CVE-2010-4221 that Paul used: https://admin.fedoraproject.org/updates/search/CVE-2010-4221 Update system does not allow changing CVE list for update requests. All info about released updates is usually removed form Bodhi shortly after Fedora version EOL. So unlike RHN, you won't find there info on EOLed versions. > A simple report I generated last year was tracking of packages and > the CVEs that they reference in an advisory. I did that by scraping > the public mailing list archive of advisories/updates and grepping > for CVE references. I have made a report from last year publicly > available > https://github.com/silviocesare/Privileged-Programs/blob/master/SecurityAdvisories/Fedora/SecurityAdvisories.txt . I suspect this list is likely to be affected by this issue: https://fedorahosted.org/bodhi/ticket/351 Update system allows referencing multiple builds in one update request, but when such request to turned to email notifications, there's separate mail sent for each build. Firefox updates are good example, as they usually contain half dozen of builds or more (firefox + xulrunner, and bunch of apps using gecko libs that required rebuild). > This might be useful on the Fedora wiki. Such list is going to get outdated soon. Tools that can be used to re-generate the list may be more useful to those that want to do similar stats. > Another report I made which may or may not be useful to the security > team is a list of packages between Debian and Fedora that are roughly > equivalent, irrespective of what the package names are > https://github.com/silviocesare/Equivalent-Packages/blob/master/NearestNeighbour/Debian5_Fedora13_Matches Out of curiosity, how should Similarity number be interpreted? -- Tomas Hoger / Red Hat Security Response Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
