Open pombredanne opened 1 year ago
OpenSSL also provides an updated JSON feed https://www.openssl.org/news/secjson
Structured data are gone: XML data is gone, secadv/ index is gone and secjson/ index is gone.
The security data comes from a private repository per https://github.com/openssl/web/blob/d3ec13fa40e74fad789462dee4323faa2c6d2991/Makefile#L526 but seems no longer published.
OpenSSL also has now "premium releases" that are built as explained there https://github.com/openssl/tools/blob/291a580209449f6aebf34e433f3b5f9afbd44c2b/HOWTO-publish-a-release.md
I filed https://github.com/openssl/web/issues/483 upstream as this is problematic. At the moment the ways to solve this issue would be:
(note that the date used by OpenSSL as a vulnerability ID is different from the CVE id)
Just some status:
OpenSSL website is reorged and this is a bit of a mess at the new https://openssl-library.org/ because of missing redirects
https://openssl.org/news/secjson/CVE-2002-0659.json does not redirect at https://openssl-library.org/news/secjson/CVE-2002-0659.json ... there is no directory listing
The text advisories cannot be listed anymore (no directory listing) but redirect https://github.com/openssl/web/issues/493
See other woes at https://github.com/openssl/web/issues/483#issuecomment-2080436149
https://www.cve.org/CVERecord?id=CVE-2024-5535 and https://cveawg.mitre.org/api/cve/CVE-2024-5535 (JSON) seem to be mostly but not exactly the same as the HTML advisories at https://openssl-library.org/news/vulnerabilities/index.html
JSON advisories seem gone from the new web site
With all this, scraping the web page is likely the way out:
OpenSSL publishes an XML feed that we parse but this is not updated https://www.openssl.org/news/vulnerabilities.html and https://www.openssl.org/news/secadv/ should be alternative good sources.