security [ARCHIVED] January 2011

security@lists.fedoraproject.org

3 participants
2 discussions

CPE information for Fedora packages useful?
by Silvio Cesare 01 Feb '11

01 Feb '11

Hi, Debian maintain a list of CPE inormation for packages on their security tracker http://svn.debian.org/wsvn/secure-testing/data/CPE/list The CPE information is not complete and does not contain version information. This makes it relatively static except when packages are added or removed from the repository. It can be useful to maintain this limited CPE information for searching purposes. In the past I generated an automatic mapping between packages in Debian and Fedora https://github.com/silviocesare/Equivalent-Packages/blob/master/NearestNeig…. >From combining the Debian CPE list and my package mappings, I can generate a CPE list for Fedora. The list would not cover all of Fedora's packages and I could not guarantee 100% accuracy, however such a list may be useful. I can create this list if the security team or developers are interested and perhaps it could be put on the Fedora wiki. Apologies if this has already ben answered. I have asked Fedora in several forums if similar information (such as package mappings) would be useful, and the general consensus thus far has been that it is not needed. However, while package mappings might not be useful to Fedora, perhaps a partial CPE list could be. CC me on responses. -- Silvio Cesare

2 3

Links/new content that may be useful to Fedora
by Silvio Cesare 06 Jan '11

06 Jan '11

Hi, I am a PhD student at Deakin University. I am also a recent member to the Debian testing security team. As part of my research I have been looking at Linux security. Debian maintain a security tracker http://security-tracker.debian.org/tracker/ . I think RHEL maintains security tracking but I do not know the details. Fedora as far as I know do not publicly and actively maintain security tracking once an advisory is released. A simple report I generated last year was tracking of packages and the CVEs that they reference in an advisory. I did that by scraping the public mailing list archive of advisories/updates and grepping for CVE references. I have made a report from last year publicly available https://github.com/silviocesare/Privileged-Programs/blob/master/SecurityAdv… . This might be useful on the Fedora wiki. A report I made of Debian's SUID/SGID programs from all packages in the repository is here https://github.com/silviocesare/Privileged-Programs/tree/master/Debian5.05 . I suspect Fedora already has such a list in line with the Fedora 15 target of removing SUID/SGID programs from the distribution. Another report I made which may or may not be useful to the security team is a list of packages between Debian and Fedora that are roughly equivalent, irrespective of what the package names are https://github.com/silviocesare/Equivalent-Packages/blob/master/NearestNeig… . There are some false positives and false negatives due to the fact that the list is automatically generated. This equivalent packages list might be useful on the Fedora wiki even if it's not a fit in the security section. I will do another report for Fedora 14 against more Linux distributions if there is interest. These links are just small things I've been working on, but I hope someone in the Fedora project may find them useful. I should also note that this work is all rather preliminary for now. Please CC me on responses and if there is a more active or appropriate forum to raise these types of discussions then please advise. -- Silvio Cesare Deakin University

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] January 2011