Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jan 2012 13:11:51 -0500 (EST)
From: "Steven M. Christey" <>
To: Moritz Muehlenhoff <>
cc: Kurt Seifried <>,,
        Craig Barratt <>,,
Subject: Re: CVE Request: Security issue in backuppc


A new CVE is needed for this.  The new variant SHOULD receive a new CVE 
because there's a different researcher (specifically, Jamie) and 
effectively a different version (probably upstream; also, many distros may 
have already fixed the original CVE-2011-3361).

Blame the CVE content-decision documentation (and me, its author).  The 
current version can cause confusion, people can interpret it in different 
ways, plus there are gaps.  It needs some serious restructuring.  (This is 
why the document's not public.)

Kurt (and other CNAs): the documentation problem is that ADT4 says 
"MERGE", which seems to imply that you should stop, but really you should 
continue to ADT5, which is about splitting based on different researchers. 
ADT4 is there to explicitly cover places where somebody might reasonably 
feel like splitting, but CVE does not.  There are also a couple other 
decision points that aren't documented yet.  You should generally fall 
through *all* the decision points, not just the first point that suggests 
split/merge/consult.  That is, all of ADT1 through ADT5 should be examined 
when deciding how to group issues.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.