Re: using oss-security references in CVE

[Solar Designer <solar () openwall com>]

Steve,

On Thu, Mar 27, 2008 at 06:59:27PM -0400, Steven M. Christey wrote:
> In CVE, we try to provide "provenance" for every detail that makes its way
> into the description.  Issues like rxvt and CenterIM have some details
> that are only publicly documented in oss-security, and I would like to add
> these as references.

That would be great.

> However, I haven't done so yet.  If I start to add oss-security references
> to CVEs when needed, this will be noticed by the other vuln DBs and added
> to their watch lists.  As their response is sometimes faster than CVE's,
> this means that new vuln reports will start showing up publicly much more
> quickly.

Isn't that actually desirable?  I mean, stuff being posted to
oss-security is supposed to be either already public or intended to be
made public right away.

> Are people OK with that?

Please go for it!

If you can, please use the official archive URLs, currently at:

        http://www.openwall.com/lists/oss-security/

In case this is moved - e.g., to the oss-security website - we'll make
sure to put proper redirects in place, such that every message's URL
remains valid.  While the software powering this archive is currently
quite spartan, I think it suffices this purpose (CVE refs) well - and
its further development was just revitalized.

By the way, maybe we should also add a link to the oss-security wiki to
page footers on that archive?  Or even to message trailers (such that
the wiki link will be seen on third-party archives as well)?

Oh, and someone should write a wiki page about getting CVE IDs.  This is
currently mentioned as a FIXME here:

        http://oss-security.openwall.org/wiki/disclosure/researcher

Thanks,

Alexander