The purpose of tracking numbers.. (HP)
Posted by jericho
In the context of advisories, it’s simple, to help track documents and avoid confusion. Much the same reason a vulnerability database assigns a unique number to an issue. If there is confusion when discussing a vulnerability, you reference the unique ID and ideally, confusion goes away. That said, why does Hewlett-Packard feel the need to assign multiple tracking IDs to a single document/advisory?
HP-UX running WBEM Services Denial of Service (DoS) http://archives.neohapsis.com/archives/bugtraq/2005-12/0231.html
So this is “SSRT051026 rev. 1”, “Document ID: c00582373”, and HPSBMA02088. Three drastically different tracking numbers for the same document. Fortunately, all three were referenced in the same place this time, but still.. why must vendors do this?
CVE handles this non-optimally by using two separate “HP” references, one for the HPSBUX/HPSBMA, and another for the SSRT (remember that SSRT was from the old Compaq days, so this might be an oddity of the acquisition).
This isn’t much different than Red Hat or Debian sending out multiple advisories for the same issue - this is for different product families and/or supported development streams, as far as I can tell. There must be some sort of customer need for it, but I wonder if it causes more confusion than it addresses.
Compaq was a hardware manufacturer that produced as many machines for home users as it did servers for business. I’m sure you are right that SSRT designations are a legacy from the buyout, but why track HP-UX specific vulns from what was essentially a hardware vendor primarily back then?
Red Hat, Debian, Gentoo, Ubuntu .. all of them may issue multiple advisories for the same vulnerability as they update the information, but they use the same advisory ID scheme and one per document.