RE: Initial Guidance on Linux Issues

[Mark J Cox <mjc@redhat.com>]

> Independent of the question of feasibility, is it required that there be 
> CVE ids associated with all packages that are distributed by a 
> commercially supported Linux distribution?  Or, is there a smaller 
> sub-set of package for which we need full coverage while still allowing 
> partial coverage of the others?

Our (Red Hat) processes and procedures require that every vulnerability is 
given a CVE name.  We use CVE as our primary key in a number of situations 
including our bug database and CVE database as well as for internal 
tracking of issues, instead of using any other unique identifier.  In fact 
we want it to be an exception where we have to later fix a published 
advisory to change or add a CVE name too it (usually only done where Mitre 
subsequently split a CVE or due to closed source distribution).  We did 
this deliberately because when we started using CVE it wasn't very 
widespread and we wanted to promote and evangelise it and get other 
distros to use it.

If it was to be determined that not every vulnerability we fix (across Red 
Hat as a whole, not just Enterprise Linux) would get a CVE name we would 
have to switch to using another unique identifier (with significant 
retooling efforts) and it's likely our mapping to CVE would really suffer 
(i.e. it's likely we wouldn't have CVE mappings at all in our published 
advisories as they are unlikely to have been allocated at the time we push 
them).  We may even end up sharding those new unique identifiers with 
other Linux vendors, and then we end up with a almost-CVE identifier from 
a different organisation, and that's my worst nightmare.

This is why I was answering your question with solutions, because I can't 
imagine a situation where CVE has partial coverage of the vulnerabilities 
we deal with and still remaining a relevant and useful tool.

Mark