Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 10 Jul 2024 18:14:34 -0700
From: Alan Coopersmith <>
To:, Pete Allor <>
Subject: Re: CVE-2024-6387: RCE in OpenSSH's server, on
 glibc-based Linux systems

On 7/10/24 08:06, Pete Allor wrote:
> Under CVE rules, Red Hat can only assign a CVE for issues within our scope,
> which for most CNAs means their software.   RH has on occasion, provided a
> CVE for upstream projects which are not covered by another CNA.  That is
> really about a coordination point between multiple parties.

But the scope of Red Hat's CNA explicitly includes all open source projects
included in a Red Hat product:

and many projects have been told to contact Red Hat to request CVEs over
the years.   I know I've requested and received many CVE's from the
Red Hat CNA for security advisories issued by the X.Org Foundation - far
more than "on occasion".

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.