[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE/CNA coverage

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: CVE/CNA coverage
From: Kurt Seifried <kurt@seifried.org>
Date: Wed, 29 Mar 2017 19:29:19 -0600
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
Cc: "Williams, Ken" <Ken.Williams@ca.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Mar 30 07:47:22 2017
In-reply-to: <CANO=Ty0V0WMMsy85dooCr4yMgGF6qS+ScsT6mwtjWXpb-xLM+w@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty3WGuytedsYHitNimJxu3b3_WzZqsZOHN4eZyrrmBY0hA@mail.gmail.com> <MWHPR01MB22370F9A616887FEF644ECDFF1350@MWHPR01MB2237.prod.exchangelabs.com> <CANO=Ty0V0WMMsy85dooCr4yMgGF6qS+ScsT6mwtjWXpb-xLM+w@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

Sorry, I was on my phone, I meant to delete that draft but instead I sent it (I had drafted it but then double checked the product name).

On Wed, Mar 29, 2017 at 1:20 PM, Kurt Seifried <kseifried@redhat.com> wrote:

Ah then I guess that answers my question pretty clearly, I'll redirect the requestor. Thanks!

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <Ken.Williams@ca.com> wrote:

They’ve previously issued CVE identifiers for it.

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

Regards,

kw

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE/CNA coverage

So somebody asked for a CVE for Glassfish open server

https://glassfish.java.net/

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them.

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt.

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Kurt Seifried
kurt@seifried.org

References:
- CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>
- RE: CVE/CNA coverage
  - From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: RE: CVE/CNA coverage
Next by Date: CVE-2017-7269 and abandonware
Previous by thread: Re: CVE/CNA coverage
Next by thread: Re: CVE/CNA coverage
Index(es):
- Date
- Thread