Date: Tue, 29 Aug 2017 10:49:17 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: A bunch of duplicate CVEs requested for?? bho.. On Tue, Aug 29, 2017 at 10:44 AM, Bob Friesenhahn < bfriesen@...ple.dallas.tx.us> wrote: > On Tue, 29 Aug 2017, Agostino Sarubbo wrote: > > Hi all. >> >> In the last time there are some people that run afl for fuzzing...that's >> just >> fine and great. Some people miss to communicate their findings to >> upstream and >> request a CVE from mitre. >> However I'm noticing that every day there are new duplicates, let me post >> some >> examples: >> > > It is important to keep in mind that CVEs are issued against "products". > There might be a CVE issued against a software version distributed by Red > Hat or Debian which is not applicable to the upstream version. Since each > distribution patches their version it is difficult to know the "product" > that a particular CVE is applicable to. Actually no, that is incorrect. Please see the CVE counting rules, it's a LOT more nuanced than "CVEs are issued against products". THe docs are at https://cve.mitre.org/cve/editorial_policies/counting_rules.html TL;DR: CNT1 comes into play and you get situations like libxml/gzip being embedded all over the place, but only a single CVE because 1) it's a single code based that's copied everywhere and 2) pragmatism. > > I agree that in my personal experience upstream maintainers are rarely > involved in the CVE process. Something I am trying to change. If you are an upstream and you want to become a CVE Numbering Authority (CNA) for your project(s) please contact me. > > > Bob > -- > Bob Friesenhahn > bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ