Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/01/2014 03:45 PM, kesten broughton wrote:
> Yes, my interest is in patches for openstack modules. We use the
> EPEL repos.
> 
> "pick say the last two dozen CVEs and then research when they were
> fixed in each distribution and compare and you'll have your
> answer."
> 
> Was that advice tounge-in-cheek? ;)
> 
> I picked one, and spent an hour looking for decent sources. I'm
> looking for either archive or CSV format that includes both the 
> patch release date and the CVE.
> 
> I picked CVE-2014-0162
> 
> I was hoping someone had already done the work for me like this
> analysis of rhel variants: Lag for centos behind rhel patch
> releases 
> http://bitrate.epipe.com/rhel-vs-centos-scientific-oracle-linux-6_187
>
>  Comparing centos to ubuntu is problematic since the centos
> announce list does not include the CVE or bug description.
> 
> Ubuntu has archives here 
> http://people.canonical.com/~ubuntu-security/cve/ But the bug i
> picked wasn't there.
> 
> I had to google around to find it here. 
> http://www.ubuntuupdates.org/package/core/saucy/main/updates/glance
>
> 
> 
> debian has bundled files, with CVE's but no dates, only release
> numbers https://security-tracker.debian.org/tracker/
> 
> I was only able to find nice stats with everything i needed for
> Redhat. http://www.redhat.com/security/data/metrics/

Heh, yup!

> If i'm missing any links to make this info more accessible please
> let me know. Otherwise, 2 dozen comparisons might take a day or
> two.
> 
> kesten

So in a previous life when I contracted for iSIGHT/iDefense I know
firms like that can produce this data, but they charge quite a bit,
the reason being that as you discovered most sources are very
messy/hard to parse.

Another way to approach it might be to pick a few packages that get
updates regularly (e.g. keystone) and go through the package histories
noting when the solve various CVEs, that way you only have to look at
a handful of files.

- -- 
Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTi9CwAAoJEBYNRVNeJnmTGRcP/R5TChgwhkEGZi7P38iZiFA7
ukeUo9Behf0BSOkd9nIhdZsrcluzyZkMSgnpFdkdaBY3u2fcHswg6hG1iONUlNKQ
fBtQRwzbD+ZqjHxjoUfL629MzNB57no8okh8RbpexvNCsRFdMICJXCDN2RG68xch
4xg6uITn19AhiIUCuHDESeqCu9xYYJ77anTTXkHpB5kbiwcPU/iZ6P5TB3GqqR1u
XqvaYn+niMW0CINPaNXytOvINUiyNNqieKZzu/Nbi1NwmoVHYkdfAVJJs2XDgAaT
sWTTlQHXTUJJ0/8SHYkrdnzk6HcvL+Ef38qQ559AdSE51/Aoel8bjDtRHkh/Y6mn
a6tidERDlnYsyeZmbGZlzOgV1NQPxGre3dtqe4fu0L+sMrfQw/oqZdk1rMY/lRxJ
8UFemgMgriteX6b/1AooHNYzf780f19o6YBkQJaXXcUgIhgtCij82Gbf24vJlqZA
SXpIhzWyUxzM4TNZgKKNvoEXGJnRnqYRwjfttHYogXlXygqKD5jjzhYap4HytCUV
tTJGe08WOe76V3jPoS+2bRUJQ2q0XhJmyUVWfQMYER+eE4mhQWiDx1xK3rXylBhF
0Ebsy/2TKVCT4xGr2kDHza4p0BEknvlOiXAz6ZtnKgJxxy4IjHtAaWU4pmL0qnnI
3mn88JhbdhUWWIf7EnJ2
=CJ40
-----END PGP SIGNATURE-----