Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 09 Oct 2017 16:17:40 -0400
From: Stiepan <stie@....swiss>
To: fk@...iankeil.de, oss-security@...ts.openwall.com
Cc: kseifried@...hat.com
Subject: Re: Linux kernel CVEs not mentioned on oss-security

+1; let's use other identifiers! And why not, a blockchain (based on at least SHA3) for public security issues? That would be great. And as trustable, as transparent as it needs to be.

Amen

-------- Original Message --------
On 9 Oct 2017, 13:11, Fabian Keil wrote:

> Kurt Seifried  wrote:
>
>> If you see this: PLEASE SUBMIT THE URL AS AN UPDATE TO THE CVE USING THE
>> CVE FORM (yes, I am shouting).
>>
>> https://cveform.mitre.org
>
> As you seem to be "shouting" a lot lately, I just like to point out
> that using the MITRE(!) form requires the execution of non-free and
> unsigned software from various sources.
>
> Some people don't consider this a problem, others do.
>
>> Choose "Request an update to an existing CVE entry" and then for "Type of
>> update requested" choose "Update References" and then eneter the CVE #,
>> the ifo and URL and hit "Submit Request"
>
> ... trust your browser's "sandbox" to work as advertised for a change
> and ignore the fact that you're running proprietary software that may
> or may not be customised just for your system and can't be easily
> audited in advance.
>
>> TL;DR: Everyone wants the cat to wear a bell, and in past I'll admit we
>> (the CVE community) didn't make it easy to contribute. Well now we have
>> made it easy to contribute, so please do.
>
> TL;DR: Not everyone wants to allow remote code execution just to
> request a CVE. Some people are sufficiently satisfied when security
> issues are found and fixed in time. While CVE number are sometimes
> nice to have, other identifiers work just as well (for some).
>
> Fabian @redhat.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.