oss-sec mailing list archives

Re: CVE request experience (was: Multiple memory leaks fixed in Privoxy 3.0.29 stable)

From: Nick Tait <ntait () redhat com>
Date: Wed, 23 Dec 2020 11:24:31 -0700

That is a rather poor experience Fabian, sorry! Took a look at that
incident number and no encrypted message appears on our end. I believe you
did actually send a message but not sure what went wrong. While I can't
directly help, did request the appropriate people follow up with you.

Nick Tait

He / Him / His 🏳️‍🌈

Product Security Engineer - OpenStack

Red Hat
<https://www.redhat.com>

secalert () redhat com for urgent response
<https://www.redhat.com>

IM: nickthetait

If I am replying on an unusual time or day it is because I am working an
adjusted schedule. No pressure to reply immediately, wait until your normal
working hours.
<https://www.redhat.com>


On Wed, Dec 23, 2020 at 10:20 AM Fabian Keil <freebsd-listen () fabiankeil de>
wrote:

Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2020-11-29:

               Announcing Privoxy 3.0.29 stable

[...]

- Security/Reliability:
  - Fixed memory leaks when a response is buffered and the buffer
    limit is reached or Privoxy is running out of memory.
    Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.


I tried to get a CVE for OVE-20201118-0001 by using the
"new" form at https://cveform.mitre.org/ on 2020-11-18 but
was told by MITRE that "the reported vulnerabilities would
fall in the scope of Red Hat for assignment" and that their
mail should be forwarded to secalert () redhat com.

I did that on 2020-11-18 using the OpenPGP key recommended at:
https://access.redhat.com/security/team/contact

On 2020-11-23 I received a response from Red Hat claiming
that my e-mail had "no body".

The same day I replied with an unencrypted mail explaining
that the previous mail was OpenPGP-encrypted and asked whether
that was still supported.

As a result I was informed that "INC1525130" "has been resolved".

As of today I still haven't received a CVE and thus did
not bother to request CVEs for the other issues fixed in
Privoxy 3.0.29 ...

Fabian

Current thread:

Multiple memory leaks fixed in Privoxy 3.0.29 stable Fabian Keil (Nov 29)
- CVE request experience (was: Multiple memory leaks fixed in Privoxy 3.0.29 stable) Fabian Keil (Dec 23)
  - Re: CVE request experience (was: Multiple memory leaks fixed in Privoxy 3.0.29 stable) Nick Tait (Dec 23)
  - Re: CVE request experience (was: Multiple memory leaks fixed in Privoxy 3.0.29 stable) Jeffrey Walton (Dec 25)