Debian Security Advisories are CVE-Compatible

March 30th, 2004

Debian Security Advisories (DSA) have been declared CVE-compatible at the RSA Conference 2004, in San Francisco, February 24th, 2004.

The DSA service provided by the Debian Security Team has offered information on security vulnerabilities that were fixed in Debian GNU/Linux releases since 1997. In an effort to cooperate with the Common Vulnerabilities and Exposures (CVE) project to standardise the names for all publicly known vulnerabilities and security exposures, new security advisories have carried CVE names since June 2002. Debian formally applied for CVE compatibility in May 2003.

The Debian project believes that it is extremely important to provide users with additional information related to security issues that affect the Debian distribution. The inclusion of CVE names in advisories helps users associate generic vulnerabilities with specific Debian advisories and updates, which reduces the time spent handling vulnerabilities that affect our users.

The availability of common security references also eases the management of security in an environment where CVE-enabled security tools such as network or host intrusion detection systems, or vulnerability assessment tools are already deployed regardless of whether or not they are based on the Debian distribution.

The Debian project has added CVE names to all advisories released since September 1998 through a review process started on August 2002. All advisories can be retrieved from the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the search engine.

Moreover, Debian provides a complete cross-reference table, including all references available for advisories published since 1997. This table is provided to complement the reference map available at CVE.

Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE names enable the project to provide standardised references to all publicly known vulnerabilities and security exposures which allow users to develop a CVE-enabled security management process.