Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 10:49:17 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: A bunch of duplicate CVEs requested for?? bho..

On Tue, Aug 29, 2017 at 10:44 AM, Bob Friesenhahn <
bfriesen@...ple.dallas.tx.us> wrote:

> On Tue, 29 Aug 2017, Agostino Sarubbo wrote:
>
> Hi all.
>>
>> In the last time there are some people that run afl for fuzzing...that's
>> just
>> fine and great. Some people miss to communicate their findings to
>> upstream and
>> request a CVE from mitre.
>> However I'm noticing that every day there are new duplicates, let me post
>> some
>> examples:
>>
>
> It is important to keep in mind that CVEs are issued against "products".
> There might be a CVE issued against a software version distributed by Red
> Hat or Debian which is not applicable to the upstream version.  Since each
> distribution patches their version it is difficult to know the "product"
> that a particular CVE is applicable to.


Actually no, that is incorrect. Please see the CVE counting rules, it's a
LOT more nuanced than "CVEs are issued against products". THe docs are at

https://cve.mitre.org/cve/editorial_policies/counting_rules.html

TL;DR: CNT1 comes into play and you get situations like libxml/gzip being
embedded all over the place, but only a single CVE because 1) it's a single
code based that's copied everywhere and 2) pragmatism.


>
> I agree that in my personal experience upstream maintainers are rarely
> involved in the CVE process.


Something I am trying to change. If you are an upstream and you want to
become a CVE Numbering Authority (CNA) for your project(s) please contact
me.


>
>
> Bob
> --
> Bob Friesenhahn
> bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
>



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ