Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2012 09:44:37 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Mark Stanislav <mark.stanislav@...il.com>,
        "Adam D. Barratt" <adam@...m-barratt.org.uk>,
        Kurt Seifried <kseifried@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Requests

On 03/17/2012 12:11 AM, Mark Stanislav wrote:
> All points being made are very much valid and I certainly understand how
> contextually oss-sec may be used to allocation requests under different
> circumstances.
> 
> So here's my situation, I'm up for suggestions (of which, "wait longer", is
> perfectly viable!)...
> 
> 1) March 1st, I sent 2 of these CVEs over to Steve Christy at MITRE who had
> previously allocated 9 prior CVEs in a day or two generally
[...]

I think the problem is simple.

Mark, if the patch is released, that means it's public even if the
details are not publicly discussed. Provide the patch information (hash,
link to the patch, etc), and we will assign CVE names. No one will be
confused if there are duplicate names assigned to them.

If you are not comfortable talking about these issues in public, sure,
use http://oss-security.openwall.org/wiki/mailing-lists/distros. And we
will follow-up from there.

Keep Steve and/or MITRE cc'ed.

No one wants to make things difficult for you. If everyone does their
part, names will be allocated very quickly.

Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.