oss-sec mailing list archives
Re: CVE Requests
From: Mark Stanislav <mark.stanislav () gmail com>
Date: Fri, 16 Mar 2012 14:41:38 -0400
On Fri, Mar 16, 2012 at 2:37 PM, Tim Brown <tmb () 65535 com> wrote:
On Friday 16 Mar 2012 16:11:04 Mark Stanislav wrote:All points being made are very much valid and I certainly understand how contextually oss-sec may be used to allocation requests under different circumstances. So here's my situation, I'm up for suggestions (of which, "wait longer",isperfectly viable!)... 1) March 1st, I sent 2 of these CVEs over to Steve Christy at MITRE whohadpreviously allocated 9 prior CVEs in a day or two generally 2) March 8th, after not hearing back from Steve, I contacted cve@mitredirectly with all 5 3) March 15th, after not hearing back from MITRE, I contacted Kurt offlistas I've noted his helpfulness doing allocations 3a) Kurt pointed me to email the list, rather than him directly (which is perfectly fine, but perhaps not the context I was aiming for initially)Josh Bressers (Josh, correct me if I'm using your name in vain) used to be quite happy to assign CVEs for undisclosed (embargoed) F/OSS issues providing details were forthcoming with the request. If Josh is no longer able to fulfil that role due to a change of circumstance at Redhat it would be nice if someone stepped into the breach - be that Redhat, Debian or one of the other CNAs. There is definately a place for "disclosed to project, being/been fixed, not public - can I have a CVE?" without deferring to the distros list or MITRE - most of the time projects can respond in a timely fashion, so a minimum effort approach is ideal. As an aside, the public address for MITRE on the web site is wrong AFAIK. Quoting Steve Christey: "Apologies for the delay. In the future, please use cve-assign () mitre org for requests related to CVE reservation."
Thank you, Tim. I've forwarded them over to that address instead. -Mark
From last time I went to MITRE (for a closed source product). Tim -- Tim Brown <mailto:tmb () 65535 com>
Current thread:
- Re: CVE Requests, (continued)
- Re: CVE Requests Kurt Seifried (Mar 15)
- Re: CVE Requests Mark Stanislav (Mar 15)
- Re: CVE Requests Solar Designer (Mar 16)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Andreas Ericsson (Mar 16)
- Re: CVE Requests Adam D. Barratt (Mar 16)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Tim Brown (Mar 16)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Tim Brown (Mar 16)
- Re: CVE Requests Eugene Teo (Mar 18)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Andreas Ericsson (Mar 19)