Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Apr 2013 18:57:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Christey, Steven M." <coley@...re.org>,
        Josh Bressers <bressers@...hat.com>
Subject: Re: OS command injection vulnerability in Chicken
 Scheme

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2013 03:18 PM, Christey, Steven M. wrote:
> Despite popular perception, the presence of useful details does not
> necessarily get CVEs published more quickly (although missing or
> conflicting details certainly make things worse, and poorly-written
> advisories can reduce overall throughput).  We have particular
> description styles and analytical requirements that are not visible
> to the general public.  We have a process where we actively monitor
> public sources including oss-security, and we prioritize which CVE
> entries are published first.  Priorities are currently guided by 
> http://cve.mitre.org/data/board/archives/2012-09/msg00000.html, but
> other disclosures are certainly considered as well.
> 
> We are currently focused on working with the CVE Editorial Board on
> extending the CVE ID syntax to handle more than 10,000
> vulnerabilities per year, and we are also training several new
> hires.  We expect our output to rise noticeably within a few
> months, and we will continue to refine our analysis and publication
> processes to improve our production in a way that balances the
> needs of CVE's many diverse users.
> 
> - Steve

One thing I think would help is having a 1-2 page advisory guideline,
e.g. what do we need for assigning CVE's/writing CVEs up and in
general what do the end users/etc want. I set this up as a bare
minimum type thing:

https://cveform-kseifried.rhcloud.com/cve-request-form/

Not all fields are required. If anyone else has comments/etc please
email me and I'll see about getting this written up as a short HOWTO.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfxcBAAoJEBYNRVNeJnmTEo4P/2AZGkmdfVj5rG/AU8jigFC9
j4yYZRlcWAzs9GNTcZIk1NRnQXNtwu16C9hKurKzjZ1Angyir+3f4mEd6UjkVeTp
bbD2FJ6zQATiRuRBpsZvd3HrYll2Jcl+qtBc1FVWeM7PX/5nGzsffgwvz5JD5qPg
i461pLQ3A5qrthbIGMeZr7CfP6frP+oecaJHqi0aw8CDC+fGOeTG1jqvOyi7BKah
2w3M3VnBod5M+OkHbANRKUF4VjqkkshjMWa9kgSSB4665SEsm3l2uEuRXCKlIsAZ
W92RIm9cM379qlLyMmW3v7ifwU1rxEn4fkIZyPl4ja+29xdk1GiMCOeZ14cGAwSg
m7Vb9oj2ufJkxM86pKyXdlZC9kDzspzj7jbP8r5hoqoFhbufv3SYbk8LTbukudxi
y+E/QRN1YRZ2lmd1+RaQO8GAEEZd84o5FVsiqv1SKvNhkdVdg8blU9nyfhaskkPk
gl2mVzPy2Nz6acRe2l9/fYtWpoYB7kxA8ZGW/pU8Nm2IENxudVOOcE9V4rp4bky7
AQw2qlP6cY4cvVmbOGgHYA+p/E0OqW9SQp3CLSS8E1+1KlHcloMyOp3gHCQqRNbl
8fk245nvLZNAg4thJNARR3O1nBY2zVJhxPRK/aE1Y0TN5yW8iblEUf8SvgFqfGbk
OQvXab9S2ClFXNg2EQ/t
=GQFz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.