Date: Sat, 11 Oct 2014 20:13:15 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org Subject: Re: Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver On 11/10/14 03:59 PM, cve-assign@...re.org wrote: > First, in general, when asking for a CVE assignment for an issue > "similar" to an existing CVE, it is very useful to provide an > additional statement or reference indicating why the issue should not > be mapped to the existing CVE. A difference in the product name does > not always require a separate CVE. Agreed. One pain point i have encountered with CVE SPLIT/MERGE is the "when is a code fork a fork, or just a normal fork?" E.g. sometimes it's easy: like one week after the MariaDB fork from MySQL it's obvious that any flaw affecting one will affect the other and they're basically the same code, but as time goes on MariaDB is diverging. One thing that would be hugely useful here to solve the CVE MERGE problem, and to let people know what related software packages they should look at would be a database of code considered "equivalent" by Mitre for the purposes of CVE MERGE and also for people to check if other things are affected by the same flaw. I suspect there aren't actually that many entries, and populating it as they come up would be pretty simple, especially if there's an easy way to submit entries (just send an email?). Would this be something Mitre can do perhaps? -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ