Date: Thu, 25 Jul 2013 02:58:05 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Matthew Wilkes <matt@...distillery.eu> Subject: Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2013 07:53 AM, Matthew Wilkes wrote: >> Sorry thought i had replied to this. I need links to the code >> commits/vuln code so I can confirm these. >> >> To reiterate: so I can confirm CVE assignments, and prevent >> duplicate assignments you *MUST* provide links to the code >> commits/vulnerable code. I don't have the time to go hunting >> through your source code for them. People need to start making >> better CVE requests, or you're not going to get CVEs from me. > > Sorry, I wasn't aware you'd be wanting to trawl through the source > yourself, tried to provide enough context in the original. Quite honestly I want to go through your source code, or for that matter any ones source code I'm not personally responsible for like I want to get kicked in the face by a horse. But I also want to make sure CVE's get assigned correctly. So three main problems arise: 1) Does the issue(s) need a CVE? sometimes they are security hardening that look a lot like security vulnerabilities, but ultimately are not (see Steven's recent email about timing attacks/user name disclosure in Django for a good example of this). 2) incorrect SPLIT/MERGE of issues (it can be subtle) 3) duplicate CVE assignments Having QUICK access to the source code vulns/corrections makes all the above much much easier. Plus I'm not the only one analysing these issues, other open source vendors who ship your code may want to back port the fix, or make sure the fix is correct, or look for similar problems in your source code. Then you've got companies like iSIGHT Partners and iDefense (whom I formerly contracted for) that are just two of literally HUNDREDS of companies that go through all the stuff posted here (and Bugtraq/Full-Disclosure, and every other security list on the planet). This means rather then HUNDREDS of people having to hunt down the specific source code links/patches the original CVE requester makes sure it gets taken care. This scales and is much more efficient. Plus the original requester is a lot more likely to get it correct. You're not asking for CVE's in a vacuum. CVE's are widely used by literally millions of people and organizations, we need to make sure they are done right or we will cause an obscene amount of time and money to be wasted. CVE assignment to follow tomorrow because it's 3am here. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR8OidAAoJEBYNRVNeJnmTR9QP/i0mhCdFmjd5jhLznVHOspzs cutqLnLEifmdUx5b6pEdBeV/4xIToEpA4NSXUH9k0wm5oJVTQAMznavRVrsAPyro pGzgZr8CdY//NuFrfcK02qwBTwwvevVmPt1zWLSe+PJ4oxEj6tILxqUKEIolDri3 QMUOs2Yr+GQOEa50Al4GraDHSQOPjdzI4hmQ4gOwOH6JA5It7+dTePvtCMj18Sof Wq9vBitqog7WMdT8C5vKx//DgP/Wrk6kDsdLCIxjrRhAuApExnCr7W+WjBfKe1rH LRT82Fxoe0TnGH+0RrH3Z1UEJkAyGtv2WEePCU7eSHubwndq2lt0ewACW+hK/fsr kMvdNBvlPC877RkvHLEznJSII5cAXBdEHhDnBgRlnR7mWrAMdaoTkyvLJNUm3Swy p0mfuLXDu7e1O+pKhQbHjykv27bunIMa0i1pHJ5fx3EXsB4mvei+CNt9/1VzgySO HbSVcOMBX05o/pCwpaAyrwfMsNwCqWNXZRCkrmu+LwuZg7SJDy4YHXuDgWuwd/7D ASuiLB/ue2syXyJs8ImWSSrzsl62SH8F4LZRqiaEZbO3Shdiko75pMAZpBTsi3qL /6mv7l84YEKir8McUwuMp6U8MTXxTbSR2VAnrQvuEVWC1ydK5VZz0A4Cw3lwG6d7 roWkIh0hY2cJZwEPkX2r =8Vjl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.