Date: Wed, 14 Dec 2016 08:09:09 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: why many CVEs are ** RESERVED ** on Mitre On Wed, Dec 14, 2016 at 7:36 AM, Sevan Janiyan <venture37@...klan.co.uk> wrote: > Hello, > > On 14/12/2016 14:24, Kurt Seifried wrote: > > ** RESERVED ** This candidate has been reserved by an organization > > or individual that will use it when announcing a new security problem. > > When the candidate has been publicized, the details for this > > candidate will be provided. > > > > This means that the entry number has been reserved by Mitre for an issue > or > > a CNA has reserved the number. So in the case where a CNA requests a > block > > of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks > > of 500), the CVE number will be marked as reserved even though the CVE > > itself may not be assigned by the CNA for some time. Until the CVE is > > assigned AND Mitre is made aware of it (e.g. the embargo passes and the > > issue is made public), AND Mitre has researched the issue and written a > > description of it, entries will show up as "** RESERVED **". > > This creates a situation where the Mitre site dose not provide any > information despite, marking the CVE as reserved despite an official > advisory for effected software referencing the CVE. > So? Also this isn't really the appropriate place for this discussion and this will be my last reply to this thread. > > Somewhat frustrating when performing vulnerability management as the > mitre URL is self documenting but useless to reference as a source. > I would suggest you consider getting involved in helping create CVEs if it is such an important resource, rather then just being a somewhat classic "Free rider" https://en.wikipedia.org/wiki/Free_rider_problem > > > Sevan > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ