Date: Sun, 03 Mar 2013 12:50:31 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Michael Tokarev <mjt@....msk.ru>, Piotr Karbowski <piotr.karbowski@...il.com> Subject: Re: CVE id request: busybox -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/03/2013 08:01 AM, Michael Tokarev wrote: > 03.03.2013 18:33, Piotr Karbowski wrote: >> On 03/03/2013 11:19 AM, Michael Tokarev wrote: >>> What it has to do with Debian, besides that debian was first to >>> actually submit this bug into its own bug tracker? >> >> Acctualy not the first, the bug was reported to busybox >> mailinglist on 18 Dec 2012. > > That's where I noticed it and submitted a bugreport to Debian BTS > from there. > > Note that I didn't want to request a CVE# for that, and used a > somewhat low severify value for the report in the Debian BTS (which > was quite some time after the initial report). > > If I thought it deserves a CVE, I'd request one right after seeing > the discussion in question :) > > But I guess we're muddling waters for too much already. I merely > commented on the joke about Debian, -- the issue is definitely not > debian-specific, Debian does not even use mdev from busybox (but > allows to use it to the users). > > Thanks, > > /mjt > This actually raises a good point, due to Debian being a secondary source in most cases (e.g. upstream has a bug report which is then copied into Debian's bug tracker since Debian ships it) the dates and sometimes information is wrong. I will no longer be issuing CVE's for issues brought up through the Debian bugtracker without an original source to back it up, otherwise more mistakes will happen which is not good. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRM6mHAAoJEBYNRVNeJnmTM8cQAJZqQPpzsLaicBfyFwsnZ6gK 8IOdtaqDZdE6oYoV10QgvQa018ASXjED+blG8lvZptF2wVuXjVi3+C5uGY8J6UH7 REGCRShlplJ9798XzGxmFVcSezkOGQmZUvV8QSQRZHIqNfPuwSMsM6uwnXRlfDF3 VACwecuo76dSZ1+q3E2DUz9WcUYEnvRMoFwsJiTe/+uxCfcH4xMFYI9raofHAYRf FC3q34Elc+AXxzxF1MC1WE9HjrwmUYNx2bxhcuuGhzyv3TQztgrxO+8RCd9xXcc2 6Gt5ErQHY16LQ7DTv0I/1OpXEb5DgFrP6wDBb0RbONiZcm/k5QYgxpV+fInZylDT oBzNeUopyC0y7ZLVQDx++iKAeD7Dt+qhCPNtiHAPGvyj9cyIm+Kkt2t5KsQtOfkF vy35FGM3aXs6ZPaqtbQZ3CxUX8Bg0rBLjV9sF79yUyx+5ybg9U7NbnxEp27kKlZN OTXmwvwsQ3uCf3uv7/9uNCVD4Q95K+gfZAZtH9zgVFjwzbzAsVu6yNNQvz9/ShzM TjcGb77wW/IrGwFi7tslRlNARzSVWGBMbl8wsdum3Xctus4ZfYM6JSKhD9KlmM5L MxV596WPUb3mlqh2AhEOA2XBzv19jMejcH+EL7UnJONC+bf8FV32msmxtyRDVl97 V0DINRevLl/L+OxxMifm =lwSO -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.