Date: Wed, 2 Mar 2016 21:55:19 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com>, cve-editorial-board-list <cve-editorial-board-list@...ts.mitre.org> Cc: cve@...re.org Subject: Re: Mitre, reserved CVEs and oss-security? On Wed, Mar 2, 2016 at 6:25 PM, Paul Wise <pabs3@...edaddy.net> wrote: > Hi all, > > I think it would be a good idea for Mitre to remove the RESERVED mark > from CVEs that have been released for use by people mailing issues to > the oss-security to get CVE numbers. The CVE database could then point > at the oss-security mailing list archives as a reference for the issue. > > Any thoughts? > > For example CVE-2016-2515 could refer to one of these posts: > > http://www.openwall.com/lists/oss-security/2016/02/20/1 > http://www.openwall.com/lists/oss-security/2016/02/20/2 I had suggested this in past (several years ago to the original Steven), and again in this email last November: https://cve.mitre.org/data/board/archives/2015-11/msg00018.html my understanding is it's a no go due to two main factors: 1) CVE database lacks a good update mechanism to inform people of updated entries 2) CVE entries must be "complete" before being added (e.g. researched/full write up/etc.). I could of course be wrong, we never actually got a response from Mitre on my November email about this. I'd be happy to bring it up on the board list again (CC'ed). Mitre can you enlighten us please? > > > -- > bye, > pabs > > http://bonedaddy.net/pabs3/ > > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.