oss-sec mailing list archives
Re: CVE Requests
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 16 Mar 2012 11:42:31 -0600
On 03/16/2012 04:26 AM, Andreas Ericsson wrote:
On 03/16/2012 04:41 AM, Kurt Seifried wrote:I need the actual info, please refer to: http://www.openwall.com/lists/oss-security/2012/03/16/2 http://www.openwall.com/lists/oss-security/2012/03/15/9 http://www.openwall.com/lists/oss-security/2012/03/14/6 http://www.openwall.com/lists/oss-security/2012/03/12/7Those mails are all exemplary requests for CVE id's, ofcourse, but the fact that they are all already fixed and released means that 100% of the work is already done. At that point, assigning a CVE id is mostly useless and is done as a "just for the record" thing.
Uh no. Tracking these issues is critical and it happens across dozens, and in some cases hundreds of vendors (e.g. CVE-2009-3555).
The need for unified identifier for a particular issue is greatest when discussing the problem and its potential solutions; Not how someone actually solved it after it's already done. If CVE is to become a thing for changelogs only, all those projects that don't use one but rely on commit-messages instead won't use CVE id's at all, and the usefulness of the CVE database dwindles.
If only it were that simple. Having worked for iSIGHT/iDefense prior to Red Hat, and now at Red Hat, let me say this simply: CVE Is 100% critical for security work at large scales. Automated products/etc need reliable names for security issues. Customers need reliable ways to ask questions (did you fix that OpenSSL thing mentioned over in this random blog post? Oh you mean this CVE, yes. etc.). -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- Re: CVE Requests, (continued)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Andreas Ericsson (Mar 16)
- Re: CVE Requests Adam D. Barratt (Mar 16)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Tim Brown (Mar 16)
- Re: CVE Requests Mark Stanislav (Mar 16)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Tim Brown (Mar 16)
- Re: CVE Requests Eugene Teo (Mar 18)
- Re: CVE Requests Kurt Seifried (Mar 16)
- Re: CVE Requests Andreas Ericsson (Mar 19)