Date: Wed, 4 Jan 2012 13:11:51 -0500 (EST) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: Moritz Muehlenhoff <jmm@...ian.org> cc: Kurt Seifried <kseifrie@...hat.com>, oss-security@...ts.openwall.com, Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org, security@...ntu.com Subject: Re: CVE Request: Security issue in backuppc All, A new CVE is needed for this. The new variant SHOULD receive a new CVE because there's a different researcher (specifically, Jamie) and effectively a different version (probably upstream; also, many distros may have already fixed the original CVE-2011-3361). Blame the CVE content-decision documentation (and me, its author). The current version can cause confusion, people can interpret it in different ways, plus there are gaps. It needs some serious restructuring. (This is why the document's not public.) Kurt (and other CNAs): the documentation problem is that ADT4 says "MERGE", which seems to imply that you should stop, but really you should continue to ADT5, which is about splitting based on different researchers. ADT4 is there to explicitly cover places where somebody might reasonably feel like splitting, but CVE does not. There are also a couple other decision points that aren't documented yet. You should generally fall through *all* the decision points, not just the first point that suggests split/merge/consult. That is, all of ADT1 through ADT5 should be examined when deciding how to group issues. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.