On Wed May 14, 2008 at 17:19:25 +0100, Hugo Mills wrote:
> > > The pain of this one is that a security update will only prevent you
> > > from creating weak keys in the future - it doesn't protect you in any
> > > way from any keys you've created previously which are now trivially
> > > crackable ..
> >
> > However the end result is that Open Source model has allowed this error to
> > be spotted and fixed within the day.
>
> The problem was known about in January -- that's when the CVE
> number was allocated. It wasn't discovered and fixed in the space of a
> day.
Not entirely true (speaking as Debian security team member).
Debian, and most other Linux distributions, has its own pool of
CVE numbers assigned which it can allocate to issues reported to it
without needing to contact Mitre.
In general security issues which are reported tend to affect multiple
vendors (e.g. a flaw in bash would affect SuSE/Fedora/Gentoo/etc).
When a "global" issue like that is discovered generally somebody will
mail Mitre and say "Can we have an identifier for issue XX".
When an purely internal issue is found we'll claim a number from our
pool - and submit the description later. On the basis that Gentoo,
Fedora, etc, don't need to know about it immediately.
So, in conclusion, the date/size of a CVE assignment cannot be used
to judge the age of a security issue.
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
