Full Disclosure mailing list archives
Quick note on requesting CVEs for public issues
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 28 Jul 2012 15:40:26 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just a note if you need CVE's for open source security issues email oss-security () lists openwall com (http://oss-security.openwall.org/wiki/mailing-lists/oss-security). Please note that these requests are completely public (anyone can sign up to the oss-security@ list, the archives are public). This is generally one of the better ways to request a CVE because everyone that cares to track CVE #'s will find out about it ASAP, and also because it is a public request it is unlikely that anyone else will accidentally or otherwise request a CVE for the same issue resulting in a duplicate. Time line: I generally respond to these within one business day, this means you'll either get a CVE or a request for more information if the request is not properly formatted or is unclear/missing details/etc. As far as what goes into the request: Information for CVE request that is REQUIRED: -Email address of requester (so we can contact them) -Software name and optionally vendor name -At least one of (to determine if this a security issue): Type of vulnerability Attack outcome -For Open Source at least one of: Link to vulnerable source code or fix Link to source code change log Link to security advisory Link to bug entry -Affected version(s) (3.2.4, 3.x, current version, all current releases, something) -If this has been previously requested (i.e. on OSS-Sec or to cve-assign () mitre org) please inform me so we can avoid duplicates -If multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge status). Information for CVE request, REQUESTED: -More of the above information of course -Software version(s) fixed (if available) -Any additional information that helps determine the status of the flaws/fixes Examples of CVE entries can be found at http://cve.mitre.org/cve/, examples of CVE requests can be found in the OSS-sec archives. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQFFxKAAoJEBYNRVNeJnmTcdgQAKuh0shrBkIIgt+XHGQNNsc7 Jv7ZFYGZJmvSMBsZ4nm8S/LlVEV+JQNVFVdRvN/GFndqiEaEv8T6NfryjzIOcwGD byeNbXyEO+rnuAx51DMBjW8V6LCuYcv6BWOU994IphkumAouB9ZT3GFF3M+OKl+G qckHjIXlu/mMUCwu2+k/m5i+y6/EmGsgllXTdE1GKt2oOm/FbipO63D8V+OPoRGz H4o7aayPx5ldmuC+2lBhGbE5qc4QShk6hrrAH77G2NgDu13P3NQWCCNpPTYp7Fkl r0P77oXHm/x/sbK5EGhobbGECjmpLHiMpzMi+YyXnROHfpwLsPqF4GViAOGlwHFf fIhaNSLE6O+9h5c2cG7Vl3N4R6D7OyOU1IT+aKJVs0PECOyG0v+NNF+75QLTn+Qa lO5l3gcrxnWVSZJffRc3lIRSyHcgFO6JMEN8LqRf1Fbneh59stReUnWdsK8tI3UT i5Kp2CDaZBz7nfr5bpbsKv2v7u3TUm7GdXIZqxY1XdOLsLDKE48Erw44p4HZgH4m /JVoxrnAXxZJp3iwdB2xgUSRjhEjeNHf4CNsuta4dQvB4ZbCABhZBLCWu5mxUdxo 0hEcRSeEw8uytnv3hKumPSP65zkfSR47+38zcma6+jagTvaBFYybUbFCbYXot/4P 0T3Ywh20IdszvTgMotWy =Uciz -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Quick note on requesting CVEs for public issues Kurt Seifried (Jul 28)