oss-sec mailing list archives
Re: Re: CVE duplicates SA-CONTRIB-2013-075
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 21 Oct 2013 14:08:14 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2013 09:41 AM, Christey, Steven M. wrote:
Note that with two CNAs handling already-public issues, there are multiple ways that duplicates can arise. This risk grows as MITRE's output increases. On the MITRE side, we are revisiting our procedures for reducing the number of duplicates. We already privately identified the increased duplicate risk with Kurt and will work with him to make things more manageable. For this specific situation: MITRE processed the Drupal advisories on September 25, creating new CVEs that were thus available in NVD at approximately 11 AM Eastern time. Forest's request to oss-security happened on September 26. Kurt's response to oss-security was on September 27. So in this case, there were multiple opportunities for requesters to check for pre-existing CVEs in NVD. The MITRE-assigned CVE-2013-5937 and CVE-2013-5938 are in more active use and were published first, so they will be kept. REJECT CVE-2013-4381 as a duplicate of CVE-2013-5938. REJECT CVE-2013-4382 as a duplicate of CVE-2013-5937. Forest, please update the advisory to use the MITRE-assigned numbers. - Steve
Yup, I failed to check because well in past it had never been a problem and I didn't know Mitre was increasing their output with respect to the open source public assignments. Hopefully shouldn't happen again. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSZYmuAAoJEBYNRVNeJnmT19AP+gMlW0BxSiM1jZIRDVWl7x4E QOzjZ4Wrf0iw7jjg+Xz/wD1GOUMkqPqXPoEe75xIHhOkcB4gcgtfwxx8JlMer+r8 GOfuHPPvWsFQdT0N+8rETPyFr8mCNzGlFv6bJuwMoc9/6S8JJnoXZx+GYjtN9lfJ fqCVqzeiuF+C86pdW5p6Eb4JEgE7fzpAprEO6oXMCvJwi0n9Q2IO2gjE1mLo64Nr u2DLbsj6TqW8Vr6q+/889WRkAYdP4HLeOwK6HNiUtBF9iULERhRkVoAPJhqQoPWd cqp3JjhT6CGv1JhjCmXYPX5MDM/4wVj2Xd8Tu0VR8KAVTZRdp9j8dNgtqP1xsiM7 TSxpfcZxoNvNmEOIIbelEjGqdC7Nl6rEhgk4lolyDDUq+BeYhum0SE/A3/al+KOz m5NcoTiZSw29kwBZJ5nyT/VkBipOYNCZ92IMaXBQaq/xk+oh9UaGFX0HgEglC8LX ktx5Il4/yRRnNxuUCITlN1kdMyUYhT15Wn5171SE37ii5qvvJbfK4DIOyBninuHr 9YMxH3qTF6xUBYEkzliU52m0IywFLF2DrFgTKKF6ENbCiAlQP1MZxXtj2bmfm32s +5Bm2LKbZDRjLkzLE0EDxrQfLX8l6TUjKBlij3EyvuXsA8+nq5ylt0kpw3ywBHKT Cy81JmErK59LDnU4ddph =EW1Q -----END PGP SIGNATURE-----
Current thread:
- CVE duplicates SA-CONTRIB-2013-075 Henri Salo (Oct 05)
- Re: CVE duplicates SA-CONTRIB-2013-075 Forest Monsen (Oct 18)
- Re: CVE duplicates SA-CONTRIB-2013-075 Henri Salo (Oct 21)
- RE: Re: CVE duplicates SA-CONTRIB-2013-075 Christey, Steven M. (Oct 21)
- Re: Re: CVE duplicates SA-CONTRIB-2013-075 Kurt Seifried (Oct 21)
- Re: Re: CVE duplicates SA-CONTRIB-2013-075 Forest Monsen (Oct 22)
- Re: CVE duplicates SA-CONTRIB-2013-075 Henri Salo (Oct 21)
- Re: CVE duplicates SA-CONTRIB-2013-075 Forest Monsen (Oct 18)