|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVEs with no REF URL (or a REF URL that is self referential)
- To: Art Manion <amanion@cert.org>, Kurt Seifried <kurt@seifried.org>
- Subject: Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: "kseifried@redhat.com" <kseifried@redhat.com>
- Date: Thu, 5 Oct 2017 11:03:10 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=redhat.com;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Thu Oct 5 14:03:53 2017
- In-reply-to: <0005a9b4-ff25-3577-5ea1-3cd714a271b0@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-jbSjdzo9-4aPGyxXRUVWFDt=eaCqw8S6W=fuN3V6vmg@mail.gmail.com> <57dcc502-fda1-8ac3-8347-ed31319c5ccf@cert.org> <CABqVa38enogkmvbNPpMSOfZ9bKD+JLP17Mnc_Sr5RqP55Hg-vA@mail.gmail.com> <0005a9b4-ff25-3577-5ea1-3cd714a271b0@cert.org>
- Reply-to: <kseifried@redhat.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
On 2017-10-05 07:01 AM, Art Manion wrote: > On 2017-10-04 17:54, Kurt Seifried wrote: > >> The embargo often is set for a time and the commits/vendor >> announcements/etc all take time. Rather then wait and check and >> update the CVE entry with the ref URL it would be much easier just to >> fire off the CVE that is self contained to the database so there is >> something nearly immediately in the database (we're finding this >> helps a lot with the higher profile messy issues). > > Ah OK. I've been operating under the impression that the delay > you're talking about was too small to matter, probably hours, less > than half a day. I consider same-day CVE ID to be fast enough, maybe > < 6 hours for hot issues. > > - Art > TBH it's less about the delay and more about automation. If I can cronjob shoving the CVE into the database, and then later update it (or anyone else can) handling embargoed CVE's becomes cheaper (essentially I would assign, set the date, and like the Ronco Rotisserie "Set it and forget it!" [assuming the embargo date doesn't change]). Especially for the common case where people want the CVE prior to the git commit, if that can be mostly automated that'd be awesome. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@redhat.com
- References:
- CVEs with no REF URL (or a REF URL that is self referential)
- From: Kurt Seifried <kurt@seifried.org>
- Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: Art Manion <amanion@cert.org>
- Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: Kurt Seifried <kurt@seifried.org>
- Re: CVEs with no REF URL (or a REF URL that is self referential)
- From: Art Manion <amanion@cert.org>
- CVEs with no REF URL (or a REF URL that is self referential)
- Prev by Date: CNA Rules Revision - Final Draft
- Next by Date: new CNA guidelines
- Previous by thread: Re: CVEs with no REF URL (or a REF URL that is self referential)
- Next by thread: New CNA - Asustor
- Index(es):