Deweloperzy Debiana zrozumieli potrzebę dostarczania aktualnych i dokładnych informacji dotyczących bezpieczeństwa jego dystrybucji, pozwalając użytkownikom podołać ryzyku zwiazanym ze słabymi punktami bezpieczeństwa. CVE umożliwia dostarczenie typotych informacji, które pozwalają użytkownikom na rozwinąć proces zarządzania bezpieczeństwem z aktywnym CVE.
Projekt CVE (The Common Vulnerabilities and Exposures), prowadzony
przez korporacje MITRE, jest listą zestandaryzowanych nazw dla luk i
słabych punktów bezpieczeństwa.
Więcej informacji znajdziesz na
Debian believes that providing users with additional information related to security issues that affect the Debian distribution is extremely important. The inclusion of CVE names in advisories help users associate generic vulnerabilities with specific Debian updates, which reduces the time spent handling vulnerabilities that affect our users. Also, it eases the management of security in an environment where CVE-enabled security tools such as network or host intrusion detection systems, or vulnerability assessment tools are already deployed regardless of whether or not they are based on the Debian distribution.
Debian has added CVE names to all the security advisories (DSA) released since september 1998 through a review process started on august 2002. All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the search engine.
Users who want to search for a particular CVE name can use the web search engine available in debian.org to retrieve advisories available (in English and translated to other languages) associated with CVE names. A search can be made for a specific name (like advisory CAN-2002-0001) or for partial names (like all the 2002 candidates included in advisories advisory CAN-2002). Notice that you need to enter the word advisory together with the CVE name in order to retrieve only security advisories.
Moreover, Debian provides a fully crossreference table including all the references available for all the advisories published since 1998. This table is provided to complement the reference map available at CVE.
Debian is in the first phase of the two phases in the CVE process.
You might not find a given CVE name in published advisories either because:
(from the CVE site) CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Candidates are assigned special names to distinguish them from official CVE entries.
Candidates are assigned special numbers that distinguish them from CVE entries. However, these numbers become CVE entries if the candidate is accepted into CVE. For example, a candidate number might be CAN-1999-0067, while its eventual CVE number would be CVE-1999-0067. Also, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
The database of published advisories is revised periodically to determine those candidates that have been accepted as CVE entries.
For more information please read
CVE Candidates explained.
Więcej informacji znajdziesz na stronie CVE.