Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Re: OpenSSL Vulnerability
  • From: Olaf Kirch <okir@xxxxxxx>
  • Date: Mon, 16 Sep 2002 16:11:57 +0200
  • Message-id: <20020916161157.E1873@xxxxxxx>
On Mon, Sep 16, 2002 at 08:12:43AM +0200, Thomas Lamy wrote:
> > on 7.3 (openssl-0.9.6b-150):
> > * Fri Jul 26 2002 - okir@xxxxxxx
> >
> > - Added security patch for remotely exploitable buffer overflows
> >
> I think it would be wise to include reusable information in the changelog,
> such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s).
> This way one must not further investigate "which buffer overflow was
> announced the last 30 days before the patch was made".

Yes, but I think the changelog isn't really the place to put this
sort of thing. If you look at our advisory though you'll notice
that the header section says:

Package: openssl
Announcement-ID: SuSE-SA:2002:027
.. bla bla bla ..
Cross References: CAN-2002-0656, CAN-2002-0657, CAN-2002-0655,
CERT Advisory CA-2002-23

So you can see that it lists the CVE and CERT ids as you suggest (with
the exception that when we published the advisory, the vulnerabilities
had just CAN numbers, and had not been approved by the CVE board).

Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann

< Previous Next >