Re: Regarding CVE assignments on oss-sec mailing list

To: Pascal Meunier <pmeunier@cerias.purdue.edu>
Subject: Re: Regarding CVE assignments on oss-sec mailing list
From: Kurt Seifried <kseifried@redhat.com>
Date: Mon, 30 Nov 2015 11:12:44 -0700
Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
CC: "Williams, Ken" <Ken.Williams@ca.com>, jericho <jericho@attrition.org>,cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-Date: Mon Nov 30 15:05:23 2015
In-Reply-To: <20151130130526.59fab5aa@saguenay.hubzero.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <CO1PR01MB110EF47E414E26C0A99CB1AF1010@CO1PR01MB110.prod.exchangelabs.com> <20151130130526.59fab5aa@saguenay.hubzero.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

On Mon, Nov 30, 2015 at 11:05 AM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

On Sun, 29 Nov 2015 15:11:20 +0000
"Williams, Ken" <Ken.Williams@ca.com> wrote:

Adding a CVE ID 3 months after the publication of an advisory should
only help historians. In my mind that defeats a main purpose of the
CVE, which is to know if Alice, Bob and Charlie are talking about the
same issue or not.

Pascal

Except it makes tracking it a lot easier, and many times more than one vendor embeds/ships the affected code, ok, mostly this is an OpenSource world issue, but based on the fact that OpenSource is the under pinning of all Linux, BSD, Mac OS X, Android (basically everything except Windows) it does matter quite a bit. Security issues often crop up again and again as people re-use code.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>
- RE: Regarding CVE assignments on oss-sec mailing list
  - From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread