RHSA vs CVE

Samuel Folk-Williams samfw at redhat.com
Wed Jun 13 18:50:56 UTC 2012 

Hi - this article should help: https://access.redhat.com/knowledge/articles/124913

Feel free to comment there with addition questions as well.

-Sam

----- Original Message -----
> Hi everybody,
> 
> Background:
> we're currently going through external security audit and it's report
> enumerates things in CVE terms which paints things very
> "black-and-white" -
> they rely on reported package versions vs. actual vulnerabilities. To
> address
> this I have created a tool:
> 
> https://github.com/droopy4096/rhsa_cve/blob/master/rhsa_cve/rhsa_cve_check.py
> 
> what it does is it fetches RHSA mapped to CVE, CPE dictionary and CVE
> databases from RedHat and Mitre.
> 
> Problem:
> Working on above tool I hav erealized that mappings are "fuzzy" to
> generate
> reliable report. Example: CVE-2009-3094 maps to
> RHSA-2009:1580,RHSA-2010:0602,RHSA-2009:1579,RHSA-2010:0011,RHSA-2009:1461
> 
> Now here's the trick - using RHSA data above I end up with packages
> like
> postgresql* in the mix where CVE-2009-3094 specifically refers to a
> single
> package - httpd (except it can't be reliably extracted from any of
> the
> official sources as far as I can tell)
> 
> The whole purpose of above is to get CVE information, find out which
> packages
> need to be verified, then generate the script that can be ran on a
> machine
> checking whether CVE is listed in the changelog as a confirmation
> that issue
> has been addressed (even though package version has not changed).
> 
> Question:
> Is there a better way of mapping CVE to RHSA/packages? How are others
> dealing
> with similar situation? Manual response (esp. that every audit comes
> up with
> repeats of CVE's we have appealed on the last round) doesn't seem
> feasible. We
> have increased number of external audits as well so Crafting response
> to each
> one becomes burdensome.
> 
> --
> Exterminate! Exterminate!
>  -- Daleks
> 
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> 
> --
>     This communication is intended for the use of the recipient to
>     whom it
>     is addressed, and may contain confidential, personal, and or
>     privileged
>     information. Please contact us immediately if you are not the
>     intended
>     recipient of this communication, and do not copy, distribute, or
>     take
>     action relying on it. Any communications received in error, or
>     subsequent reply, should be deleted or destroyed.
> ---
> 
> --
> redhat-sysadmin-list mailing list
> redhat-sysadmin-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
>

More information about the redhat-sysadmin-list mailing list