[Python-Dev] CVE tracking (original) (raw)
Terry Reedy tjreedy at udel.edu
Mon Nov 24 16:44:04 CET 2008
- Previous message: [Python-Dev] CVE tracking
- Next message: [Python-Dev] CVE tracking
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mart Somermaa wrote:
I created a script that parses the http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python Python-related CVE list and classifies the CVEs as follows:
* "ok" -- CVE has references to bugs.python.org * "warnings" -- CVE has references to Python SVN revisions or an issue in bugs.python.org refers to it (i.e. the probelm is probably fixed, but the CVE should really be updated to link to the issue that is probably listed in bugs.python.org) * "errors" -- CVE does have no references to Python issues or SVN nor does any issue in bugs.python.org have references to the CVE id The script is at http://dpaste.com/hold/92930/ The results are at http://dpaste.com/hold/92929/ There were 35 errors, 8 warnings, 5 CVEs were OK. In an ideal world, the references would be symmetric, i.e. every Python-related CVE would have references to one or more issues in bugs.python.org and these issues would also refer back to the CVE id.
When I looked through that list a week or so ago, I noticed that some issues were obviously related to the Python distribution itself, but others were appeared to be Python application problems. It is not an 'error' for the latter to have no reference to or from bugs.python.org. I suspect human perusal is need to make the determination.
- Previous message: [Python-Dev] CVE tracking
- Next message: [Python-Dev] CVE tracking
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]