Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 11 Oct 2014 20:13:15 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: Re: Request for CVE assignment for tigervnc affected
 by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver

On 11/10/14 03:59 PM, cve-assign@...re.org wrote:
> First, in general, when asking for a CVE assignment for an issue
> "similar" to an existing CVE, it is very useful to provide an
> additional statement or reference indicating why the issue should not
> be mapped to the existing CVE. A difference in the product name does
> not always require a separate CVE.

Agreed. One pain point i have encountered with CVE SPLIT/MERGE is the
"when is a code fork a fork, or just a normal fork?" E.g. sometimes it's
easy: like one week after the MariaDB fork from MySQL it's obvious that
any flaw affecting one will affect the other and they're basically the
same code, but as time goes on MariaDB is diverging. One thing that
would be hugely useful here to solve the CVE MERGE problem, and to let
people know what related software packages they should look at would be
a database of code considered "equivalent" by Mitre for the purposes of
CVE MERGE and also for people to check if other things are affected by
the same flaw.

I suspect there aren't actually that many entries, and populating it as
they come up would be pretty simple, especially if there's an easy way
to submit entries (just send an email?).  Would this be something Mitre
can do perhaps?

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ