Date: Wed, 2 Mar 2016 21:55:19 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com>, cve-editorial-board-list <cve-editorial-board-list@...ts.mitre.org> Cc: cve@...re.org Subject: Re: Mitre, reserved CVEs and oss-security? On Wed, Mar 2, 2016 at 6:25 PM, Paul Wise <pabs3@...edaddy.net> wrote: > Hi all, > > I think it would be a good idea for Mitre to remove the RESERVED mark > from CVEs that have been released for use by people mailing issues to > the oss-security to get CVE numbers. The CVE database could then point > at the oss-security mailing list archives as a reference for the issue. > > Any thoughts? > > For example CVE-2016-2515 could refer to one of these posts: > > http://www.openwall.com/lists/oss-security/2016/02/20/1 > http://www.openwall.com/lists/oss-security/2016/02/20/2 I had suggested this in past (several years ago to the original Steven), and again in this email last November: https://cve.mitre.org/data/board/archives/2015-11/msg00018.html my understanding is it's a no go due to two main factors: 1) CVE database lacks a good update mechanism to inform people of updated entries 2) CVE entries must be "complete" before being added (e.g. researched/full write up/etc.). I could of course be wrong, we never actually got a response from Mitre on my November email about this. I'd be happy to bring it up on the board list again (CC'ed). Mitre can you enlighten us please? > > > -- > bye, > pabs > > http://bonedaddy.net/pabs3/ > > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ