|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding CVE assignments on oss-sec mailing list
- To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: Regarding CVE assignments on oss-sec mailing list
- From: Mark J Cox <mjc@redhat.com>
- Date: Tue, 8 Dec 2015 10:57:46 +0000
- Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
- Delivery-Date: Tue Dec 8 07:49:53 2015
- In-Reply-To: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
- SpamDiagnosticOutput: 1:2
> "Just as a reminder, there's currently no agreement in place between > the MITRE CVE team and Red Hat that would let Red Hat assign a CVE ID > for a public report in this way." I spotted a security advisory come out from my team today which had no CVE on it. What, how is that possible? We make a big deal about having vulnerability identifiers on every vulnerability we fix in a Red Hat security advisory, since we started doing this 15-odd years ago. https://rhn.redhat.com/errata/RHSA-2015-2515.html My team told me we'd fixed the same issue already in November in different products. A request for a CVE name went to oss-security in October, and repinged in November just before the first advisory. http://seclists.org/oss-sec/2015/q4/358 In the past we'd simply just take something our of CNA and ask for forgiveness later, kind of like Kurt did for the issue in this thread. I figure a security issue being fixed in Red Hat Enterprise Linux is something that's going to get a CVE, no matter what reduced inclusion criteria may apply (it's not even in an obscure component or some older version, this is the latest RHEL and git) We want to have a vulnerability identifier for every vulnerabilty we know we're fixing. So that means we either keep pinging and calling people at Mitre before any similar RHSA, or start to abuse our CNA powers, or invent our own temporary CXX prefix for these. Mark
- Follow-Ups:
- RE: Regarding CVE assignments on oss-sec mailing list
- From: "Evans, Jonathan L." <jevans@mitre.org>
- RE: Regarding CVE assignments on oss-sec mailing list
- Prev by Date: Re: Upcoming changes for CVE
- Next by Date: RE: Question about robots.txt
- Prev by thread: Re: Upcoming changes for CVE
- Next by thread: RE: Regarding CVE assignments on oss-sec mailing list
- Index(es):