Linux vulnerability patches

[jhewitt]

I believe Microsoft offers a database of sorts (in XML format - mssecure.xml) which provides all the patch related information (product name, patch name, patch download URL, info on what the vulnerability is all about) for Microsoft products; which is used by some of the Patch Management tools (Shavlik's HFNetChkPro?).

Now, I would want to know if something is like this is available for Linux distributions and other Linux related packages. I understand that there are sites like CVE, ICAT etc. which offer vulnerability information (collection). Had a look at them but they seem to be listing details for all types vulnerabilities (including system problems) for all types of products. Firstly I need to parse, the CVE database to locate the Linux related vulnerabilities. And then, I dont find the "patch download" URLs for most vulnerabilities.. there are some URLs but they dont lead to the "patches" as such.

My requirements are something like this :

1. Is something as comprehensive as mssecure.xml available for Linux distributions (RedHat, Debian etc.) and related packages ? 2. For Linux patching, what information do the PM tools use to identify vulnerabilities .. CVE database ? (or something similar ?) 3. Are the patches downloaded from respective sites of different Linux distributions or some central repository ? Would like to know if some specific sites are used and if so what are they ?

Jason

[kpzani]

I use the up2date tool in fedora, patches well new patched versions of stuff are released and I install them.. there's always an advisory notice regarding whats changed.

[logan5]

Your distributions web page should have something on it. I'm not really familiar with the others, but RedHat has this page -
https://www.redhat.com/apps/support/errata/
You can probably find something for Debian, Mandrake, Gentoo etc...