Re: CVE request: cmsmadesimple before 1.11.8 / bad upstream behaviour vs. CVE assignment

[Henri Salo <henri () nerv fi>]

On Mon, Oct 21, 2013 at 02:10:53PM -0600, Kurt Seifried wrote:
> On 10/21/2013 01:20 PM, Hanno Böck wrote:
> > Hi,
> >
> > I want to request a CVE, but also start some discussion about how
> > to handle such issues.
> >
> > The release notes for cmsmadesimple 1.11.8 mention a security
> > issue: 
> > http://www.cmsmadesimple.org/announcing-cmsms-1-11-8-fioreana/ 
> > "This release brings a few minor features, some performance 
> > improvements, documentation improvements, a Smarty upgrade, and a 
> > number of bug fixes (including a minor security issue)."
> >
> > Now, this is all the information you get. Nothing about the kind
> > of security issue, let alone a bug nr or commit. The question is:
> > What do we do with such shitty upstream behaviour?
> >
> > Last time I reported something alike I was told that I should
> > provide more info. The question is: How?
> >
> > Sure, I could diff the release to the release before or try to
> > find some repository and read all the commits in the timeframe. But
> > I'm not getting paid for this, I merely want to improve overall
> > security of free software voluntarily.
> >
> > So how will we proceed with such stuff? In the past, we often had
> > "CVE for unknown security issue in xxx"-alike assignments.
> >
> > cu,
>
> Yeah, maybe if we can incentivize this research, e.g. give people
> credit or something, not for discovering the issue but for researching
> it and posting the details/diff/whatever. In general if no details are
> available unless there's some reason not to, I would generally hand
> these over to Mitre to deal with.
>
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

Can we get this assigned?

Diff between 1.11.7 and 1.11.8: http://paste.nerv.fi/61005941.txt (too big for
mailing list)

---
Henri Salo

Attachment: signature.asc
Description: Digital signature