oss-sec mailing list archives
Re: CVE request - illumos
From: Dan McDonald <danmcd () omniti com>
Date: Mon, 20 Apr 2015 13:01:58 -0400
Addressing one part publically:
On Apr 20, 2015, at 12:34 PM, cve-assign () mitre org wrote:
<SNIP!>
The cve-assign () mitre org address can be used for non-public requests for illumos CVEs. There may be other options for the open-source parts, but we think that not all of illumos is open source. http://wiki.illumos.org/display/illumos/illumos+FAQs says "There still remain some binary-only, closed source components that we inherited from Oracle." If the component also affects an Oracle product, then Oracle could assign the CVE ID.
The closed-source bits leftover from Oracle will never be updated, because Oracle unceremoniously closed the old OpenSolaris project without even telling the community (the community found out via a leaked internal email). Illumos is its own entity, and we'd only be asking for CVE entries based on what is open-sourced, modulo some really REALLY bizarre corner-case I can't imagine, but whose (remote) possibility I won't dismiss. There is always a chance that illumos has some problem that ALSO exists in now-closed Oracle Solaris (or perhaps in still open-sourced components that are common to both), but please do not equate the two as a rule of thumb. Thanks, Dan
Current thread:
- CVE request Dan McDonald (Apr 19)
- Re: CVE request Solar Designer (Apr 19)
- Re: CVE request - illumos cve-assign (Apr 20)
- Re: CVE request - illumos Dan McDonald (Apr 20)