|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding CVE assignments on oss-sec mailing list
- To: "Evans, Jonathan L." <jevans@mitre.org>
- Subject: Re: Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Date: Wed, 9 Dec 2015 09:45:56 -0700
- Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
- CC: Mark J Cox <mjc@redhat.com>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
- Delivery-Date: Wed Dec 9 15:34:35 2015
- In-Reply-To: <DM2PR09MB027020978D094747CFAE3D1CCCE80@DM2PR09MB0270.namprd09.prod.outlook.com>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LFD.2.20.1512081045310.18180@localhost.localdomain> <DM2PR09MB027020978D094747CFAE3D1CCCE80@DM2PR09MB0270.namprd09.prod.outlook.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
- SpamDiagnosticOutput: 1:2
On Wed, Dec 9, 2015 at 9:37 AM, Evans, Jonathan L. <jevans@mitre.org> wrote:
Mark,
We have been actively working with the upstream vendor to determine the appropriate number of CVEs for the vulnerabilities in git. There was no oss-security post from MITRE because the context of MITRE's work was related to previous private communication from and to the upstream vendor.
The information in the initial request (http://seclists.org/oss-sec/2015/q4/37) required us to infer the vulnerabilities from code diffs and vague changelog statements. Historically, basing CVE assignments on this type of information has proven difficult and error prone. For example, we are not certain if Kurt's assignment of CVE-2015-7545 to "Some protocols (like git-remote-ext) can execute arbitrary code found in the URL" is correct. The vendor may not officially support the "blindly enable recursive fetch" scenario, i.e. the user is expected to accept the risk of executing a recursive fetch from an untrusted source, and the change should be considered a security hardening feature for the convenience of their users. MITRE relies on the vendor guidance in these situations.
In the future, we plan to respond quickly to requests like the initial one, asking the requester for the appropriate information needed to assign a CVE ID. If the Editorial Board members have suggestions on better ways to handle these situations, we would appreciate you input.
--
Jonathan Evans
The CVE Team
The MITRE Corporation
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
- References:
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Mark J Cox <mjc@redhat.com>
- RE: Regarding CVE assignments on oss-sec mailing list
- From: "Evans, Jonathan L." <jevans@mitre.org>
- Re: Regarding CVE assignments on oss-sec mailing list
- Prev by Date: RE: Regarding CVE assignments on oss-sec mailing list
- Next by Date: RE: Question about robots.txt
- Prev by thread: RE: Regarding CVE assignments on oss-sec mailing list
- Next by thread: RE: Regarding CVE assignments on oss-sec mailing list
- Index(es):