Date: Mon, 21 Oct 2013 14:08:14 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Forest Monsen <forest.monsen@...il.com> Subject: Re: Re: CVE duplicates SA-CONTRIB-2013-075 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2013 09:41 AM, Christey, Steven M. wrote: > Note that with two CNAs handling already-public issues, there are > multiple ways that duplicates can arise. This risk grows as > MITRE's output increases. On the MITRE side, we are revisiting our > procedures for reducing the number of duplicates. We already > privately identified the increased duplicate risk with Kurt and > will work with him to make things more manageable. > > For this specific situation: MITRE processed the Drupal advisories > on September 25, creating new CVEs that were thus available in NVD > at approximately 11 AM Eastern time. Forest's request to > oss-security happened on September 26. Kurt's response to > oss-security was on September 27. So in this case, there were > multiple opportunities for requesters to check for pre-existing > CVEs in NVD. > > The MITRE-assigned CVE-2013-5937 and CVE-2013-5938 are in more > active use and were published first, so they will be kept. > > REJECT CVE-2013-4381 as a duplicate of CVE-2013-5938. > > REJECT CVE-2013-4382 as a duplicate of CVE-2013-5937. > > Forest, please update the advisory to use the MITRE-assigned > numbers. > > - Steve Yup, I failed to check because well in past it had never been a problem and I didn't know Mitre was increasing their output with respect to the open source public assignments. Hopefully shouldn't happen again. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSZYmuAAoJEBYNRVNeJnmT19AP+gMlW0BxSiM1jZIRDVWl7x4E QOzjZ4Wrf0iw7jjg+Xz/wD1GOUMkqPqXPoEe75xIHhOkcB4gcgtfwxx8JlMer+r8 GOfuHPPvWsFQdT0N+8rETPyFr8mCNzGlFv6bJuwMoc9/6S8JJnoXZx+GYjtN9lfJ fqCVqzeiuF+C86pdW5p6Eb4JEgE7fzpAprEO6oXMCvJwi0n9Q2IO2gjE1mLo64Nr u2DLbsj6TqW8Vr6q+/889WRkAYdP4HLeOwK6HNiUtBF9iULERhRkVoAPJhqQoPWd cqp3JjhT6CGv1JhjCmXYPX5MDM/4wVj2Xd8Tu0VR8KAVTZRdp9j8dNgtqP1xsiM7 TSxpfcZxoNvNmEOIIbelEjGqdC7Nl6rEhgk4lolyDDUq+BeYhum0SE/A3/al+KOz m5NcoTiZSw29kwBZJ5nyT/VkBipOYNCZ92IMaXBQaq/xk+oh9UaGFX0HgEglC8LX ktx5Il4/yRRnNxuUCITlN1kdMyUYhT15Wn5171SE37ii5qvvJbfK4DIOyBninuHr 9YMxH3qTF6xUBYEkzliU52m0IywFLF2DrFgTKKF6ENbCiAlQP1MZxXtj2bmfm32s +5Bm2LKbZDRjLkzLE0EDxrQfLX8l6TUjKBlij3EyvuXsA8+nq5ylt0kpw3ywBHKT Cy81JmErK59LDnU4ddph =EW1Q -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.