Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Oct 2017 13:11:18 +0200
From: Fabian Keil <fk@...iankeil.de>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>
Subject: Re: Linux kernel CVEs not mentioned on oss-security

Kurt Seifried <kseifried@...hat.com> wrote:

> If you see this: PLEASE SUBMIT THE URL AS AN UPDATE TO THE CVE USING THE
> CVE FORM (yes, I am shouting).
> 
> https://cveform.mitre.org

As you seem to be "shouting" a lot lately, I just like to point out
that using the MITRE(!) form requires the execution of non-free and
unsigned software from various sources.

Some people don't consider this a problem, others do.

> Choose "Request an update to an existing CVE entry" and then for "Type of
> update requested" choose "Update References" and then eneter the CVE #,
> the ifo and URL and hit "Submit Request"

... trust your browser's "sandbox" to work as advertised for a change
and ignore the fact that you're running proprietary software that may
or may not be customised just for your system and can't be easily
audited in advance.

> TL;DR: Everyone wants the cat to wear a bell, and in past I'll admit we
> (the CVE community) didn't make it easy to contribute. Well now we have
> made it easy to contribute, so please do.

TL;DR: Not everyone wants to allow remote code execution just to
request a CVE. Some people are sufficiently satisfied when security
issues are found and fixed in time. While CVE number are sometimes
nice to have, other identifiers work just as well (for some).

Fabian

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.