cswiger at mac.com
Mon Apr 12 14:01:29 PDT 2004
Matthew Seaman wrote:
[ ... ]
> Errr -- did you look at the lists of entries those searches actually turn
> up? [ ...some analysis snipped... ] I don't think that simply counting
> CVE entries is going to tell you very much useful.
No, I didn't look closely at the results.
Without a lot more knowledge of the anonymous friend's security concerns (what
their security policy is; whether local compromise vs remote matters, for
instance; exploits related to specific modules they were running [simply
considering the interactions of mod_ssl with OpenSSL vulnerabilities is a
topic of considerable complexity]; etc), the # of CVE entries is as relevant
as any other statistic.
I agree with you, in other words: not very...useful. :-)
However, someone who cared to make a meaningful comparision might start with
the CVEs, plus checking the ChangeLogs, security-focus/bugtrak/etc mailing
lists, and any other convenient data sources besides.
More information about the freebsd-questions