mailing list archives
Re: CVE Request: Security issue in backuppc
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 4 Jan 2012 13:11:51 -0500 (EST)
A new CVE is needed for this. The new variant SHOULD receive a new CVE
because there's a different researcher (specifically, Jamie) and
effectively a different version (probably upstream; also, many distros may
have already fixed the original CVE-2011-3361).
Blame the CVE content-decision documentation (and me, its author). The
current version can cause confusion, people can interpret it in different
ways, plus there are gaps. It needs some serious restructuring. (This is
why the document's not public.)
Kurt (and other CNAs): the documentation problem is that ADT4 says
"MERGE", which seems to imply that you should stop, but really you should
continue to ADT5, which is about splitting based on different researchers.
ADT4 is there to explicitly cover places where somebody might reasonably
feel like splitting, but CVE does not. There are also a couple other
decision points that aren't documented yet. You should generally fall
through *all* the decision points, not just the first point that suggests
split/merge/consult. That is, all of ADT1 through ADT5 should be examined
when deciding how to group issues.