Bugzilla auto-links any mention of CVE-foo to MITRE's site (i.e. CVE-2010-0047). Now that we have per-CVE pages that we point customers to (that contain our CVSSv2 scores, our impact rating, links to our errata we've released, and our NVD statements), I think it makes more sense to have bugzilla auto-link to our per-CVE pages rather than MITRE. There is much more relevant information on our pages than there is on MITRE's (and our page links back to MITRE's page anyways). The only downside is that we may end up pointing to a "not found" page in some cases due to how we parse bugzilla and our requirements, for instance: https://www.redhat.com/security/data/cve/CVE-2010-0047.html That brings up a "not found" page because our bug doesn't have a valid CVSSv2 score. This is something we need to work on (in this case, just provide the score), but that is one drawback. We could probably make the "not found" page provide a direct link to MITRE's site to see if they have further information.
This is our current regex code that does this auto-linkification: # Linkify CAN or CVE links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX $text =~ s~\b(C(?:VE|AN)-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename\.cgi\?name=$1\">$1</a>~g; We would just change it to: # Linkify CVE links IE: CVE-XXXX-XXXX $text =~ s~\bCVE-\d{4}-\d{4})~<a href=\"https://www.redhat.com/security/data/cve/$1\.html\">$1</a>~g; # Linkify CAN Links IE: CAN-XXXX-XXXX CVE-XXXX-XXXX $text =~ s~\bCAN-\d{4}-\d{4})~<a href=\"http://cve\.mitre\.org/cgi-bin/cvename.cgi\?name=$1\">$1</a>~g; Does that look acceptable to you? Also should we go forward before the page not found issue is resolved? Dave
I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the CVE-2009-0301 page. So I think it would be safe to make all CAN's point to our CVE pages also (just s/CAN/CVE/ for the name). The page not found issue has been resolved. If you visit: https://www.redhat.com/security/data/cve/CVE-2009-0001.html You'll see some javascript stuff at the bottom to point to MITRE's site. I'll let Mark make the call on the CAN handling though. I think they should be converted to CVE-foo and pointing to our page. Thanks Dave!
(In reply to comment #2) > I don't think we want to point CAN-XXXX-XXXX to MITRE's site since all CAN-foo > have turned to CVE-foo (i.e. if you go to CAN-2009-0301 it will take you to the > CVE-2009-0301 page. So I think it would be safe to make all CAN's point to our > CVE pages also (just s/CAN/CVE/ for the name). > > The page not found issue has been resolved. If you visit: > > https://www.redhat.com/security/data/cve/CVE-2009-0001.html > > You'll see some javascript stuff at the bottom to point to MITRE's site. > > I'll let Mark make the call on the CAN handling though. I think they should be > converted to CVE-foo and pointing to our page. Okay, works for me. I will hold off til Mark's sign off before making the change. Dave
Agreed, any CAN-xxxx-yyyy should point to https://www.redhat.com/security/data/cve/CVE-xxxx-yyyy.html
Thanks. Change committed to SVN and will be in the next update. Dave
Great! Thanks Dave.