Re: Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver

[Kurt Seifried <kseifried () redhat com>]

On 11/10/14 03:59 PM, cve-assign () mitre org wrote:
> First, in general, when asking for a CVE assignment for an issue
> "similar" to an existing CVE, it is very useful to provide an
> additional statement or reference indicating why the issue should not
> be mapped to the existing CVE. A difference in the product name does
> not always require a separate CVE.

Agreed. One pain point i have encountered with CVE SPLIT/MERGE is the
"when is a code fork a fork, or just a normal fork?" E.g. sometimes it's
easy: like one week after the MariaDB fork from MySQL it's obvious that
any flaw affecting one will affect the other and they're basically the
same code, but as time goes on MariaDB is diverging. One thing that
would be hugely useful here to solve the CVE MERGE problem, and to let
people know what related software packages they should look at would be
a database of code considered "equivalent" by Mitre for the purposes of
CVE MERGE and also for people to check if other things are affected by
the same flaw.

I suspect there aren't actually that many entries, and populating it as
they come up would be pretty simple, especially if there's an easy way
to submit entries (just send an email?).  Would this be something Mitre
can do perhaps?

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature