mailing list archives
Re: CVE Request: Security issue in backuppc
From: Kurt Seifried <kseifrie () redhat com>
Date: Wed, 04 Jan 2012 13:50:47 -0700
On 01/04/2012 11:11 AM, Steven M. Christey wrote:
A new CVE is needed for this. The new variant SHOULD receive a new
CVE because there's a different researcher (specifically, Jamie) and
effectively a different version (probably upstream; also, many distros
may have already fixed the original CVE-2011-3361).
Blame the CVE content-decision documentation (and me, its author).
The current version can cause confusion, people can interpret it in
different ways, plus there are gaps. It needs some serious
restructuring. (This is why the document's not public.)
Kurt (and other CNAs): the documentation problem is that ADT4 says
"MERGE", which seems to imply that you should stop, but really you
should continue to ADT5, which is about splitting based on different
researchers. ADT4 is there to explicitly cover places where somebody
might reasonably feel like splitting, but CVE does not. There are
also a couple other decision points that aren't documented yet. You
should generally fall through *all* the decision points, not just the
first point that suggests split/merge/consult. That is, all of ADT1
through ADT5 should be examined when deciding how to group issues.
Ahhh.. I sort of wondered about that but never thought to ask. Derp! You
should probably update that document and post it prominently somewhere,
I know it has helped me a lot.
-- Kurt Seifried / Red Hat Security Response Team