oss-sec mailing list archives

Re: CVE id request: vlc

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 11 Nov 2008 15:48:18 -0500 (EST)


On Tue, 11 Nov 2008, [UTF-8] Rémi Denis-Courmont wrote:

CVE.mitre.org says nothing about vendor obtaining a CVE number, only
researchers. And typically, these guys don't do it, when dealing with
videolan.org anyway.


I'm sorry, I did not mean to sound critical of you or anybody on the
oss-security mailing list.  Many consumers probably don't care if bug 1
affects a slightly different set of versions than bug 2.  It just happens
to be something that's important for CVE, and (indirectly) people who rely
on it.

I was using the vlc case as an example of a general challenge that we're
facing in CVE that's arisen as a result of the creation of the
oss-security list, which I fully support.  We certainly don't want to
interfere with the way that open source developers handle security issues.

- Steve

Current thread:

CVE id request: vlc Nico Golde (Oct 14)
- Re: CVE id request: vlc Steven M. Christey (Oct 14)
- <Possible follow-ups>
- CVE id request: vlc Nico Golde (Oct 19)
  - Re: CVE id request: vlc Steven M. Christey (Oct 22)
    - Re: CVE id request: vlc Nico Golde (Oct 22)
- CVE id request: vlc Nico Golde (Nov 05)
  - Re: CVE id request: vlc Steven M. Christey (Nov 10)
    - Re: CVE id request: vlc Nico Golde (Nov 10)
    - Re: CVE id request: vlc Steven M. Christey (Nov 10)
    - Re: CVE id request: vlc Rémi Denis-Courmont (Nov 11)
    - Re: CVE id request: vlc Steven M. Christey (Nov 11)