Hi,

> But here's what I'd suggest,
> and this should be helpful for other vendors who include curl:
>
> curl 7.13.1 (powerpc-apple-darwin8.0) libcurl/7.13.1 OpenSSL/0.9.7i
> zlib/1.2.3
> Protocols: ftp gopher telnet dict ldap http file https ftps
> Features: IPv6 Largefile NTLM SSL libz
> Patches: APPLE-SA-2006-05-11
>
> Of course, the 'APPLE-SA-2006-05-11' could be 'DSA-919' on Debian or
> 'GLSA-200603-25' on Gentoo, or simply 'CVE-2005-4077' on any system.

I think that is a good idea. But I'd prefer if all vendors use the CVE-codes
and not their own ids. This way it is possible to do automated checks for
certain patches without a big database of all vendor-ids. I'd use
vendor-specific stuff just for vendor-specific patches, e.g. a non-security
bugfix, packaging fix and the like.

Kind regards,

Gerd
Received on 2006-05-20