
<div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif">Thanks, RbN. <br><br></div><div class="gmail_default" style="font-family:georgia,serif">I just posted a link to the wiki page.  Parts of your email were indispensable in its creation.  <br>


<br></div><div class="gmail_default" style="font-family:georgia,serif">Again, many thanks. <br><br></div><div class="gmail_default" style="font-family:georgia,serif">BW<br></div></div><div class="gmail_extra"><br clear="all">


<div><div dir="ltr"><div><div><span style="font-family:georgia,serif">------------------------------------------</span><span style="font-family:georgia,serif"><span style="font-family:georgia,serif"><span style="font-family:georgia,serif"><font>[00(01|10)11]</font></span></span>-----------------------------------------<br>


<br><font>Billy Wayne McCann, Ph.D.<br><a href="https://plus.google.com/+BillyWayneMcCann" target="_blank">Google+</a><br></font></span></div><span style="font-family:georgia,serif"><font><a href="http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040" target="_blank">PGP Key</a><br>


</font></span></div><div><span style="font-family:georgia,serif"><font>irc://irc.freenode.net:bwayne<br></font></span><span style="font-family:georgia,serif"><font>


</font></span><p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><span style="font-family:georgia,serif">MzM0LTcwMy0wMTIyCg== | base64 -d<br></span></p><span style="font-family:georgia,serif"><font><br>


"A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)<br></font></span></div><span style="font-family:georgia,serif"></span><br><span style="font-family:georgia,serif"></span><div><span style="font-family:georgia,serif">------------------------------------------</span><span style="font-family:georgia,serif"><span style="font-family:georgia,serif"><font>[11(10|01)00]-------</font></span>-----------------------------------</span></div>


</div></div>

<br><br><div class="gmail_quote">On Tue, Mar 11, 2014 at 3:56 PM, RbN <span dir="ltr"><<a href="mailto:r.b.n@riseup.net" target="_blank">r.b.n@riseup.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Hello,<br>

<br>

A message to give some hints and links to look more efficiently for security<br>

issues and CVE.<br>

<br>

Some mailing lists :<br>

* oss-sec<br>

        main list dealing with security of free software, a lot of CVE<br>

        attributions happen here, required if you wish to follow security news.<br>

        * info: <a href="http://oss-security.openwall.org/wiki/mailing-lists/oss-security" target="_blank">http://oss-security.openwall.org/wiki/mailing-lists/oss-security</a><br>

        * subscribe: oss-security-subscribe(at)<a href="http://lists.openwall.com" target="_blank">lists.openwall.com</a><br>

        * archive: <a href="http://www.openwall.com/lists/oss-security/" target="_blank">http://www.openwall.com/lists/oss-security/</a><br>

* bugtraq<br>

        a full disclosure moderated mailing list (noisy)<br>

        * info: <a href="http://www.securityfocus.com/archive/1/description" target="_blank">http://www.securityfocus.com/archive/1/description</a><br>

        * subscribe: bugtraq-subscribe(at)<a href="http://securityfocus.com" target="_blank">securityfocus.com</a><br>

* full-disclosure<br>

        another full-disclosure mailing-list (noisy)<br>

        * info: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>

        * subscribe: full-disclosure-request(at)<a href="http://lists.grok.org.uk" target="_blank">lists.grok.org.uk</a><br>

You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc.<br>

<br>

Resources of other distributions (to look for CVE, patch, comments etc.):<br>

*RedHat and Fedora:<br>

        * rss advisories:<br>

<a href="https://admin.fedoraproject.org/updates/rss/rss2.0?type=security" target="_blank">https://admin.fedoraproject.org/updates/rss/rss2.0?type=security</a><br>

        * CVE tracker: <a href="https://access.redhat.com/security/cve/" target="_blank">https://access.redhat.com/security/cve/</a><CVE-id><br>

        * bug tracker: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=</a><CVE-id><br>

Ubuntu:<br>

        * advisories: <a href="http://www.ubuntu.com/usn/atom.xml" target="_blank">http://www.ubuntu.com/usn/atom.xml</a><br>

        * CVE tracker: <a href="http://people.canonical.com/~ubuntu-security/cve/?cve=" target="_blank">http://people.canonical.com/~ubuntu-security/cve/?cve=</a><CVE-id><br>

        * database: <a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" target="_blank">https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master</a><br>

Debian:<br>

        * CVE tracker: <a href="http://security-tracker.debian.org/tracker/" target="_blank">http://security-tracker.debian.org/tracker/</a><CVE-id><br>

        * patch-tracker: <a href="http://patch-tracker.debian.org/" target="_blank">http://patch-tracker.debian.org/</a><br>

        * database: <a href="http://anonscm.debian.org/viewvc/secure-testing/data/" target="_blank">http://anonscm.debian.org/viewvc/secure-testing/data/</a><br>

OpenSUSE:<br>

        * CVE tracker: <a href="http://support.novell.com/security/cve/" target="_blank">http://support.novell.com/security/cve/</a><CVE-id>.html<br>

<br>

<br>

Mitre and NVD links for CVE:<br>

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=</a><CVE-id><br>

<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=" target="_blank">http://web.nvd.nist.gov/view/vuln/detail?vulnId=</a><CVE-id><br>

NVD and Mitre do not necessarily fill their CVE entry immediately after<br>

attribution, so it's not always relevant for us.<br>

The CVE-id and the "Date Entry Created" fields do not have particular meaning.<br>

CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE<br>

blocks from Mitre when needed/asked, so the CVE ID is not linked to the<br>

attribution date. The "Date Entry Created" field often only indicates when the<br>

CVE block was given to the CNA, nothing more.<br>

<br>

Linux Weekly News:<br>

LWN provides a daily notice of security updates for various distributions,<br>

sometimes very usefull: <a href="http://lwn.net/headlines/newrss" target="_blank">http://lwn.net/headlines/newrss</a><br>

This might be very handy to check if we miss something.<br>

<br>

If you need more, check the openwall wiki:<br>

<a href="http://oss-security.openwall.org/wiki/" target="_blank">http://oss-security.openwall.org/wiki/</a><br>

<span class="HOEnZb"><font color="#888888"><br>

<br>

RbN</font></span><br>_______________________________________________<br>

arch-security mailing list<br>

<a href="mailto:arch-security@archlinux.org">arch-security@archlinux.org</a><br>

<a href="https://mailman.archlinux.org/mailman/listinfo/arch-security" target="_blank">https://mailman.archlinux.org/mailman/listinfo/arch-security</a><br>

<br></blockquote></div><br></div>