Date: Mon, 20 Apr 2015 13:01:58 -0400 From: Dan McDonald <danmcd@...iti.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, Dan McDonald <danmcd@...iti.com> Subject: Re: CVE request - illumos Addressing one part publically: > On Apr 20, 2015, at 12:34 PM, cve-assign@...re.org wrote: <SNIP!> > The cve-assign@...re.org address can be used for non-public requests > for illumos CVEs. There may be other options for the open-source > parts, but we think that not all of illumos is open source. > http://wiki.illumos.org/display/illumos/illumos+FAQs says "There still > remain some binary-only, closed source components that we inherited > from Oracle." If the component also affects an Oracle product, then > Oracle could assign the CVE ID. The closed-source bits leftover from Oracle will never be updated, because Oracle unceremoniously closed the old OpenSolaris project without even telling the community (the community found out via a leaked internal email). Illumos is its own entity, and we'd only be asking for CVE entries based on what is open-sourced, modulo some really REALLY bizarre corner-case I can't imagine, but whose (remote) possibility I won't dismiss. There is always a chance that illumos has some problem that ALSO exists in now-closed Oracle Solaris (or perhaps in still open-sourced components that are common to both), but please do not equate the two as a rule of thumb. Thanks, Dan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ