Re: CVE request - illumos

[Dan McDonald <danmcd () omniti com>]

Addressing one part publically:

> On Apr 20, 2015, at 12:34 PM, cve-assign () mitre org wrote:

<SNIP!>

> The cve-assign () mitre org address can be used for non-public requests
> for illumos CVEs. There may be other options for the open-source
> parts, but we think that not all of illumos is open source.
> http://wiki.illumos.org/display/illumos/illumos+FAQs says "There still
> remain some binary-only, closed source components that we inherited
> from Oracle." If the component also affects an Oracle product, then
> Oracle could assign the CVE ID.

The closed-source bits leftover from Oracle will never be updated, because Oracle unceremoniously closed the old 
OpenSolaris project without even telling the community (the  community found out via a leaked internal email).

Illumos is its own entity, and we'd only be asking for CVE entries based on what is open-sourced, modulo some really 
REALLY bizarre corner-case I can't imagine, but whose (remote) possibility I won't dismiss.

There is always a chance that illumos has some problem that ALSO exists in now-closed Oracle Solaris (or perhaps in 
still open-sourced components that are common to both), but please do not equate the two as a rule of thumb.

Thanks,
Dan