Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 10:49:17 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: A bunch of duplicate CVEs requested for?? bho..

On Tue, Aug 29, 2017 at 10:44 AM, Bob Friesenhahn <> wrote:

> On Tue, 29 Aug 2017, Agostino Sarubbo wrote:
> Hi all.
>> In the last time there are some people that run afl for fuzzing...that's
>> just
>> fine and great. Some people miss to communicate their findings to
>> upstream and
>> request a CVE from mitre.
>> However I'm noticing that every day there are new duplicates, let me post
>> some
>> examples:
> It is important to keep in mind that CVEs are issued against "products".
> There might be a CVE issued against a software version distributed by Red
> Hat or Debian which is not applicable to the upstream version.  Since each
> distribution patches their version it is difficult to know the "product"
> that a particular CVE is applicable to.

Actually no, that is incorrect. Please see the CVE counting rules, it's a
LOT more nuanced than "CVEs are issued against products". THe docs are at

TL;DR: CNT1 comes into play and you get situations like libxml/gzip being
embedded all over the place, but only a single CVE because 1) it's a single
code based that's copied everywhere and 2) pragmatism.

> I agree that in my personal experience upstream maintainers are rarely
> involved in the CVE process.

Something I am trying to change. If you are an upstream and you want to
become a CVE Numbering Authority (CNA) for your project(s) please contact

> Bob
> --
> Bob Friesenhahn
> GraphicsMagick Maintainer,


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ