blob: 7ef731ca4626273ee92582fb5208be33657b14dd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
#use wml::debian::template title="Debian CVE compatibility" NOHEADER="true"
#include "$(ENGLISHDIR)/security/faq.inc"
# $Id$
<h1><a href="https://cve.mitre.org/">\
<img class="cve" src="CVE-compatible.png" alt="CVE-compatible">\
</a>
Debian and CVE compatibility</h1>
<P>Debian developers understand the need to provide accurate and
up to date information of the security status of the Debian distribution,
allowing users to manage the risk associated with new security
vulnerabilities. The <a href="https://cve.mitre.org/">Common
Vulnerabilities and Exposures</a> project (CVE) enables us to provide
standardised security references that allow users to develop a
CVE-enabled security management process. CVE provides a list of
standardised names for vulnerabilities and security exposures.</p>
<P>The Debian project believes that it is extremely
important to provide users with additional information
related to security issues that affect the Debian distribution.
The inclusion of CVE names in advisories helps
users associate generic vulnerabilities with specific Debian updates,
which reduces the time spent handling vulnerabilities that affect our users.</p>
<P>The availability of common security references also eases the
management of security in an environment where
CVE-enabled security tools such as network or host intrusion detection systems,
or vulnerability assessment tools are already deployed regardless of
whether or not they are based on the Debian distribution.</p>
<P>The Debian project has added CVE names to all the security advisories (DSA)
released since September 1998 through a review process started on
August 2002. All of the advisories can be retrieved on the Debian
web site, and announcements related to new vulnerabilities include
CVE names if available at the time of their release.</p>
<p>The <a href="https://security-tracker.debian.org/">Debian Security Tracker</a>
has the canonical list of CVE names, corresponding Debian packages, Debian
Security Advisories and bug numbers. It can be searched on package name
or DSA/CVE name and contains data since the release of Debian Woody.</p>
<h2>Common questions on CVE status</h2>
<maketoc>
<toc-add-entry name=status>What is the current status of Debian in the CVE process?</toc-add-entry>
<P>Debian Security Advisories was
<a href="CVE-certificate.jpg">declared CVE-Compatible</a> on February
24, 2004. More information is available at the
<a href="https://cve.mitre.org/compatible/organizations.html#softitpi">CVE
site</A>, including the
<a href="https://cve.mitre.org/compatible/phase2/SPI_Debian.html">capability
questionnaire</A>.</P>
<toc-add-entry name=find>Why don't I find a given CVE name?</toc-add-entry>
<P>The security tracker should have all CVE names. For the other lists,
you might not find a given CVE name in published advisories either
because:
<UL>
<LI>No Debian products are affected by that vulnerability.
<LI>There is not yet an advisory covering that vulnerability.
<LI>An advisory was published before a CVE name was assigned to a given
vulnerability.
</UL>
<toc-add-entry name=moreinfo>Where can I obtain more information?</toc-add-entry>
<P>For more information visit the <a href="https://cve.mitre.org/">CVE
web site</A>.
|
