|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVEs with no REF URL (or a REF URL that is self referential)
- To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: Art Manion <amanion@cert.org>
- Date: Wed, 4 Oct 2017 17:19:05 -0400
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
- Delivery-date: Thu Oct 5 07:44:47 2017
- Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu v94LJA1e024744
- In-reply-to: <CABqVa3-jbSjdzo9-4aPGyxXRUVWFDt=eaCqw8S6W=fuN3V6vmg@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-jbSjdzo9-4aPGyxXRUVWFDt=eaCqw8S6W=fuN3V6vmg@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
On 10/4/17 12:48 PM, Kurt Seifried wrote:
So currently CVE assignments require a URL. My proposal is that, simply put, if the CVE itself can contain all the needed data why not remove the requirement for the URL. The advantage of this is that for embargoed issues we can immediately submit the CVE to the database without having to wait for REF URL's to be created. The other advantage is that the REF URL can't disappear, the data is embedded directly in the CVE entry. The common case is that in the OpenSource world we often have all the information needed for a CVE assignment, specifically in the form of a patch with notes, but that patch has not yet been committed, and it may not be a deterministic URL once committed (if we knew the URL in advance we would simply put it into the REF URL). This is especially true for Linux kernel commits and many other projects that use git. Often times as well these entities do not publish a security advisory or anything beyond "here's the patch commit with a note" (which is sufficient information in almost all cases). So I think simply put if the rules are changed to include a statement such as: The REF URL may be omitted, or set to reference the CVE itself (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-XXXXXX) if the description contains sufficient detail to fully explain the CVE (e.g. code patch information).
There are certainly benefits to having information included locally/directly in a CVE entry. Concerns: There isn't currently a way in CVE to do this? Do I paste the patch/diff into the description? DWF has artifacts. Might need to change CVE records to be able to contain patches/notes. And, why submit embargoed issues to CVE before the embargo is over? Wait until public, and then you also have a git commit URL. - Art
- Follow-Ups:
- Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: Kurt Seifried <kurt@seifried.org>
- Re: CVEs with no REF URL (or a REF URL that is self referential)
- References:
- CVEs with no REF URL (or a REF URL that is self referential)
- From: Kurt Seifried <kurt@seifried.org>
- CVEs with no REF URL (or a REF URL that is self referential)
- Prev by Date: Re: CVEs with no REF URL (or a REF URL that is self referential)
- Next by Date: Re: CVE For Services
- Previous by thread: Re: CVEs with no REF URL (or a REF URL that is self referential)
- Next by thread: Re: CVEs with no REF URL (or a REF URL that is self referential)
- Index(es):