oss-sec mailing list archives
Re: Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 11 Oct 2014 20:13:15 -0600
On 11/10/14 03:59 PM, cve-assign () mitre org wrote:
First, in general, when asking for a CVE assignment for an issue "similar" to an existing CVE, it is very useful to provide an additional statement or reference indicating why the issue should not be mapped to the existing CVE. A difference in the product name does not always require a separate CVE.
Agreed. One pain point i have encountered with CVE SPLIT/MERGE is the "when is a code fork a fork, or just a normal fork?" E.g. sometimes it's easy: like one week after the MariaDB fork from MySQL it's obvious that any flaw affecting one will affect the other and they're basically the same code, but as time goes on MariaDB is diverging. One thing that would be hugely useful here to solve the CVE MERGE problem, and to let people know what related software packages they should look at would be a database of code considered "equivalent" by Mitre for the purposes of CVE MERGE and also for people to check if other things are affected by the same flaw. I suspect there aren't actually that many entries, and populating it as they come up would be pretty simple, especially if there's an easy way to submit entries (just send an email?). Would this be something Mitre can do perhaps? -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver Siddharth Sharma (Oct 09)
- Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver cve-assign (Oct 11)
- Re: Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver Kurt Seifried (Oct 11)
- Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver cve-assign (Oct 11)