Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 2 Mar 2016 21:55:19 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, 
	cve-editorial-board-list <cve-editorial-board-list@...ts.mitre.org>
Cc: cve@...re.org
Subject: Re: Mitre, reserved CVEs and oss-security?

On Wed, Mar 2, 2016 at 6:25 PM, Paul Wise <pabs3@...edaddy.net> wrote:

> Hi all,
>
> I think it would be a good idea for Mitre to remove the RESERVED mark
> from CVEs that have been released for use by people mailing issues to
> the oss-security to get CVE numbers. The CVE database could then point
> at the oss-security mailing list archives as a reference for the issue.
>
> Any thoughts?
>
> For example CVE-2016-2515 could refer to one of these posts:
>
> http://www.openwall.com/lists/oss-security/2016/02/20/1
> http://www.openwall.com/lists/oss-security/2016/02/20/2


I had suggested this in past (several years ago to the original Steven),
and again in this email last November:

https://cve.mitre.org/data/board/archives/2015-11/msg00018.html

my understanding is it's a no go due to two main factors:

1) CVE database lacks a good update mechanism to inform people of updated
entries
2) CVE entries must be "complete" before being added (e.g. researched/full
write up/etc.).

I could of course be wrong, we never actually got a response from Mitre on
my November email about this.

I'd be happy to bring it up on the board list again (CC'ed). Mitre can you
enlighten us please?


>
>
> --
> bye,
> pabs
>
> http://bonedaddy.net/pabs3/
>
>


-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.