oss-sec mailing list archives

Re: CVE request

From: Solar Designer <solar () openwall com>
Date: Mon, 20 Apr 2015 06:24:27 +0300

Sorry for bikeshedding, but:

On Sun, Apr 19, 2015 at 10:21:00PM -0400, Dan McDonald wrote:

Illumos bug #5853 (https://www.illumos.org/issues/5853), now fixed, can be exploited to escalate privilege.  It's not 
easy to do so, but it is enough to cause concern and ask for a CVE number.


http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"When applicable, the message Subject must include the name and
version(s) of affected software, and vulnerability type.  For example, a
Subject saying only "CVE request" or "CVE-2099-99999" is not appropriate,
whereas "CVE request - Acme Placeholder 1.0 buffer overflow" or
"CVE-2099-99999 - Acme Placeholder 1.0 buffer overflow" would be OK."

At least two distros already have this fix in place.  I'd appreciate a CVE number (and if possible a way to request 
these on a non-public list... sorry if I missed the FAQ).


If you're OK with posting a CVE request in public, please do so - like
you did this time (just with a better Subject).  For other cases, see:

http://www.openwall.com/lists/oss-security/2015/04/13/6

and the followups to that message (click "thread-next").

Alexander

Current thread:

CVE request Dan McDonald (Apr 19)
- Re: CVE request Solar Designer (Apr 19)
- Re: CVE request - illumos cve-assign (Apr 20)
  - Re: CVE request - illumos Dan McDonald (Apr 20)