Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F04BBA7.3060204@redhat.com>
Date: Wed, 04 Jan 2012 13:50:47 -0700
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>,
        Moritz Muehlenhoff <jmm@...ian.org>,
        Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
        security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On 01/04/2012 11:11 AM, Steven M. Christey wrote:
>
> All,
>
> A new CVE is needed for this.  The new variant SHOULD receive a new
> CVE because there's a different researcher (specifically, Jamie) and
> effectively a different version (probably upstream; also, many distros
> may have already fixed the original CVE-2011-3361).
>
> Blame the CVE content-decision documentation (and me, its author). 
> The current version can cause confusion, people can interpret it in
> different ways, plus there are gaps.  It needs some serious
> restructuring.  (This is why the document's not public.)
>
> Kurt (and other CNAs): the documentation problem is that ADT4 says
> "MERGE", which seems to imply that you should stop, but really you
> should continue to ADT5, which is about splitting based on different
> researchers. ADT4 is there to explicitly cover places where somebody
> might reasonably feel like splitting, but CVE does not.  There are
> also a couple other decision points that aren't documented yet.  You
> should generally fall through *all* the decision points, not just the
> first point that suggests split/merge/consult.  That is, all of ADT1
> through ADT5 should be examined when deciding how to group issues.
>
> - Steve
Ahhh.. I sort of wondered about that but never thought to ask. Derp! You
should probably update that document and post it prominently somewhere,
I know it has helped me a lot.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.