oss-sec mailing list archives
RE: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs
From: "Christey, Steven M." <coley () mitre org>
Date: Thu, 7 Mar 2013 18:09:52 +0000
This is a major challenge for CVE, but to do bug-based assignments will make CVE too dependent on the amount of vulnerability details that are available at the time of a CVE request - and those details vary widely. While it is a problem for the distros, I have generally had the perspective that it is ultimately their responsibility to track which portions of a CVE are fixed, and when. Note - the more fundamental problem here is that CVE is being used much earlier in the disclosure process than it used to be, and it's basically being used as a universal bug ID. I strongly encourage the Linux community to consider adopting their own ID scheme. I made comments similar to this a couple years ago, but I can't easily find the reference right now. - Steve -----Original Message----- From: Solar Designer [mailto:solar () openwall com] Sent: Thursday, March 07, 2013 4:19 AM To: oss-security () lists openwall com Subject: Re: [oss-security] CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt - On Thu, Mar 07, 2013 at 02:13:37AM -0700, Kurt Seifried wrote:
Bundling the following into a single CVE:
[...]
Please use CVE-2012-6138 for these issues.
I think this is wrong. I would understand if those issues were all in the same subsystem at least (or if you assigned per-subsystem CVE IDs for these), but this is not the case. Many distros will fix some, but not the others, or not all at the same time. There's room for a little bit of bundling here, but not that much. Alexander
Current thread:
- CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Mathias Krause (Mar 05)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt Seifried (Mar 06)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Mathias Krause (Mar 06)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt Seifried (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Solar Designer (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt Seifried (Mar 07)
- RE: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Christey, Steven M. (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Solar Designer (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Petr Matousek (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt Seifried (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Thomas Biege (Mar 08)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Solar Designer (Mar 07)
- Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs Kurt Seifried (Mar 06)