Or see these articles: http://www.oracle.com/technetwork/topics/security/alerts-086861.html#ThirdPa rtyBulletin
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.ht ml -----Oorspronkelijk bericht----- Van: Peter Tribble [mailto:[email protected]] Verzonden: dinsdag 8 december 2015 16:25 Aan: Discussion list for OpenIndiana <[email protected]> Onderwerp: Re: [OpenIndiana-discuss] OI roadmap (for production) On Tue, Dec 8, 2015 at 11:14 AM, Jim Klimov <[email protected]> wrote: > > >From: Tim Mooney [mailto:[email protected]] > > > > >I'm trying to find a way to verify component security that doesn't > >rely on more work from the few people that are already doing the > >security work, but it's not clear what a good method is to perform > >that verification. > > > >Tim > > Might it make sense to use some pkg(5) metadata to list the cve's > known covered by a particular release+patch recipe used in the build? > I know i'd quickly stop maintaining such data though, but there may be > even pedantical people than mysekf out there ;) And for a > commercialized or otherwise paid effort, someone could be doing this > sysiphus task. Anyhow, someone has to revise if a cve applies to our > code and write down the inspection results somewhere - might as well accompany the relevant code snapshot. > > reminds me sort of like sun's patch readmes with lists of changelogs > and bugids and errata... > You mean like the way Oracle Solaris has additional IPS metadata to track CVEs? https://blogs.oracle.com/darren/entry/cve_metadata_in_solaris_ips -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
