oss-sec mailing list archives
Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20)
From: Solar Designer <solar () openwall com>
Date: Wed, 5 Jul 2017 15:33:41 +0200
On Wed, Jul 05, 2017 at 03:50:58PM +0300, Lior Kaplan wrote:
AFAIK, when the issue is already public the list is just fine. From the cve-assign auto reply: "In the special case of communications involving a publicly known vulnerability on the oss-security mailing list, please do not use the https://cveform.mitre.org web site at this time, and instead send new or followup messages directly to that mailing list."
I think the above is about additional "communications involving" a vulnerability that already has a CVE ID, not about the CVE request. FWIW, on the distros list wiki page, we currently ask to avoid using the private lists if one's "sole purpose of their use is to obtain a CVE ID", and in a footnote we give this alternative procedure: "In those "CVE only" cases, please start by posting about the (to be made) public issue to oss-security (without a CVE ID), request a CVE ID from MITRE directly, and finally "reply" to your own posting when you also have the CVE ID to add. With the described approach you would only approach MITRE after the issue is already public, but if you choose to do things differently and contact MITRE about an issue that is not yet public, then please do not disclose to them more than the absolute minimum needed for them to assign a CVE ID." "from MITRE directly" is a link to https://cveform.mitre.org and "the absolute minimum" is a link to http://www.openwall.com/lists/oss-security/2015/04/14/3 I hope this procedure is consistent with everyone's expectations. Salvatore reply quoted below is consistent with it. Thank you for helping run this list, Salvatore! I think that ideally we add to such boilerplate replies (the need for which will hopefully become infrequent) that we appreciate being notified of the vulnerabilities first (before the CVE IDs are requested from MITRE) and want it to stay this way going forward (just not in the form of CVE requests, but rather in the form of vulnerability notifications also stating that CVE IDs are being requested separately and will be posted in here later). I don't care about CVEs much, but we need to know where to redirect those requests to, and we also need to make it likely that we'll receive the actual vulnerability detail on oss-security (the sooner, the better).
On Wed, Jul 5, 2017 at 3:34 PM, Salvatore Bonaccorso <carnil () debian org> wrote:CVE assignement requests are not handled anymore directly via the oss-security list, but need to be filled/requested at https://cveform.mitre.org/ Once CVE are assigned, can you repost them here for benefit of other reader?
Alexander
Current thread:
- CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Lior Kaplan (Jul 05)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Salvatore Bonaccorso (Jul 05)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Lior Kaplan (Jul 05)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Solar Designer (Jul 05)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Marcus Meissner (Jul 06)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Lior Kaplan (Jul 05)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Marcus Meissner (Jul 10)
- Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20) Salvatore Bonaccorso (Jul 05)