[VIM] r0t on "bugtraqs @ all"

[Mark J Cox]

> CVE gets used in Red Hat advisories, for example.  How is it usable to 
> Red Hat consumers to have an advisory that has 70 CVE's in it when 
> there's only one patch?

Since many enterprise Linux distributions do backporting it is important 
to take into account the starting vulnerable version where that is 
available; if vendors were backporting Ethereal security patches we'd be 
vulnerable only to a subset of those 70 issues (and most likely a 
different subset to each other vendor).

However Ethereal isn't a great example since Ethereal has so many issues 
and it's quite self contained so backwards compatibility isn't essential, 
all the vendors move to new upstream versions, mitigating this slightly.

The kernel is a good example though, where every enterprise vendor is 
backporting a subset of issues that affect that version to their stable 
base versions, where the base versions used by vendors are different. 
That subset of issues fixed may be chosen due to the risk of each issue 
(for example, an issue with a low security impact but requiring major code 
changes may be deffered for a future update to allow it to gain more 
testing).

So when we backport our internal processes benefit from splitting (and 
having a consistant set of rules applied for that splitting), and it helps 
our customers understand things too.

Perhaps the biggest downside of giving Ethereal 20/30/70 CVE names instead 
of a couple is when sponsored researchers are writing reports comparing 
operating systems based on open source (where lots of information is 
available allowing those 20/30/70 names to be easily determined) against 
closed source (where less information is available and so less CVE names 
would be assigned due to lack of sufficient information).  But really it's 
these reports that are broken, not CVE.

Cheers, Mark