Chuck Swiger cswiger at mac.com
Mon Apr 12 14:01:29 PDT 2004

Matthew Seaman wrote:
[ ... ]
> Errr -- did you look at the lists of entries those searches actually turn
> up?  [ ...some analysis snipped... ]  I don't think that simply counting
> CVE entries is going to tell you very much useful.

No, I didn't look closely at the results.

Without a lot more knowledge of the anonymous friend's security concerns (what 
their security policy is; whether local compromise vs remote matters, for 
instance; exploits related to specific modules they were running [simply 
considering the interactions of mod_ssl with OpenSSL vulnerabilities is a 
topic of considerable complexity]; etc), the # of CVE entries is as relevant 
as any other statistic.

I agree with you, in other words: not very...useful.  :-)

However, someone who cared to make a meaningful comparision might start with 
the CVEs, plus checking the ChangeLogs, security-focus/bugtrak/etc mailing 
lists, and any other convenient data sources besides.


More information about the freebsd-questions mailing list