Is there something like the '-security' lists of other distros?

3 posts / 0 new
Last post
#1 Mon, 2015-07-06 21:21
Pearson
  • Pearson's picture
  • Offline
  • Last seen: 2 years 3 months ago
  • Joined: 2015-07-06

I just read about Alpine Linux in this week's Distrowatch Weekly. This looks very interesting, and I'd like to look into it during my (limited) spare time. One question I have is whether the Apline package maintainers track and report which CVEs are fixed in which releases. In particular, if a security patch is applied to a release, then I presume the package version number would be bumped; in that case, would there be something that says "fixed CVE-xxxx-yyy"? Is there something that would collect those?

I saw the cvewatcher package described on this forum, and it looks promising. But, there is the caveat that it only looks at the package version and will have false positives if the CVE has been patched.

Tue, 2015-07-07 23:23
AmatCoder
  • AmatCoder's picture
  • Offline
  • Last seen: 11 months 2 weeks ago
  • Joined: 2013-10-18

You can see the CVE fixes looking into git log. Examples:
For 3.0 release -> http://git.alpinelinux.org/cgit/aports/log/?h=3.0-stable
For edge -> http://git.alpinelinux.org/cgit/aports/log/?qt=grep&q=cve

You can get information about releases and branches here -> http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases

Wed, 2015-07-08 22:14 (Reply to #2)
Pearson
  • Pearson's picture
  • Offline
  • Last seen: 2 years 3 months ago
  • Joined: 2015-07-06

Thank you. That looks nice!

Log in or register to post comments