[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE/CNA coverage

To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE/CNA coverage
From: "Williams, Ken" <Ken.Williams@ca.com>
Date: Wed, 29 Mar 2017 19:19:36 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=ca.com;
Delivery-date: Thu Mar 30 07:47:22 2017
In-reply-to: <CANO=Ty3WGuytedsYHitNimJxu3b3_WzZqsZOHN4eZyrrmBY0hA@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty3WGuytedsYHitNimJxu3b3_WzZqsZOHN4eZyrrmBY0hA@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSqL/9hhPfQiAypk+iUwk3QVEX8qGsMPYQ
Thread-topic: CVE/CNA coverage

They’ve previously issued CVE identifiers for it.

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

Regards,

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE/CNA coverage

So somebody asked for a CVE for Glassfish open server

https://glassfish.java.net/

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them.

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: CVE/CNA coverage
Next by Date: Re: CVE/CNA coverage
Previous by thread: CVE/CNA coverage
Next by thread: Re: CVE/CNA coverage
Index(es):
- Date
- Thread