Debian and CVE compatibility
Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. The Common Vulnerabilities and Exposures project (CVE) enables us to provide standardised security references that allow users to develop a CVE-enabled security management process. CVE provides a list of standardised names for vulnerabilities and security exposures.
The Debian project believes that it is extremely important to provide users with additional information related to security issues that affect the Debian distribution. The inclusion of CVE names in advisories helps users associate generic vulnerabilities with specific Debian updates, which reduces the time spent handling vulnerabilities that affect our users.
The availability of common security references also eases the management of security in an environment where CVE-enabled security tools such as network or host intrusion detection systems, or vulnerability assessment tools are already deployed regardless of whether or not they are based on the Debian distribution.
The Debian project has added CVE names to all the security advisories (DSA) released since September 1998 through a review process started on August 2002. All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release.
The Debian Security Tracker has the canonical list of CVE names, corresponding Debian packages, Debian Security Advisories and bug numbers. It can be searched on package name or DSA/CVE name and contains data since the release of Debian Woody.
Common questions on CVE status
- What is the current status of Debian in the CVE process?
- Why don't I find a given CVE name?
- Where can I obtain more information?
Q: What is the current status of Debian in the CVE process?
Debian Security Advisories was declared CVE-Compatible on February 24, 2004. More information is available at the CVE site, including the capability questionnaire.
Q: Why don't I find a given CVE name?
The security tracker should have all CVE names. For the other lists, you might not find a given CVE name in published advisories either because:
- No Debian products are affected by that vulnerability.
- There is not yet an advisory covering that vulnerability.
- An advisory was published before a CVE name was assigned to a given vulnerability.
Q: Where can I obtain more information?
For more information visit the CVE web site.