[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Mitre, reserved CVEs and oss-security?



On Wed, Mar 2, 2016 at 6:25 PM, Paul Wise <pabs3@bonedaddy.net> wrote:

> Hi all,
>
> I think it would be a good idea for Mitre to remove the RESERVED mark
> from CVEs that have been released for use by people mailing issues to
> the oss-security to get CVE numbers. The CVE database could then point
> at the oss-security mailing list archives as a reference for the issue.
>
> Any thoughts?
>
> For example CVE-2016-2515 could refer to one of these posts:
>
> http://www.openwall.com/lists/oss-security/2016/02/20/1
> http://www.openwall.com/lists/oss-security/2016/02/20/2


I had suggested this in past (several years ago to the original Steven),
and again in this email last November:

https://cve.mitre.org/data/board/archives/2015-11/msg00018.html

my understanding is it's a no go due to two main factors:

1) CVE database lacks a good update mechanism to inform people of updated
entries
2) CVE entries must be "complete" before being added (e.g. researched/full
write up/etc.).

I could of course be wrong, we never actually got a response from Mitre on
my November email about this.

I'd be happy to bring it up on the board list again (CC'ed). Mitre can you
enlighten us please?


>
>
> --
> bye,
> pabs
>
> http://bonedaddy.net/pabs3/
>
>


-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 07, 2016