|
|
Subscribe / Log in / New account

Non-CVE vulnerabilities

Non-CVE vulnerabilities

Posted Jul 25, 2025 13:13 UTC (Fri) by pabs (subscriber, #43278)
In reply to: Non-CVE vulnerabilities by smcv
Parent article: Understanding Debian's security processes

I note that not all GitHub projects use CVE IDs, many preferring to stick to GHSA IDs instead.

ISTR that other projects have their own vulnerability ID space, and not all of them have corresponding CVEs too.

I also note Debian doesn't seem to either auto-import non-CVE vulnerability data (probably too many to ingest, and most aren't for Debian-packaged projects anyway), nor map non-CVE vulnerability IDs to CVE or TEMP IDs.

I expect the combination of these means that Debian does probably miss some vulnerabilities where upstreams didn't get CVEs, but have released vulnerability information with a GHSA or other ID system.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds