mailing list archives
RE: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs
From: "Christey, Steven M." <coley () mitre org>
Date: Thu, 7 Mar 2013 18:09:52 +0000
This is a major challenge for CVE, but to do bug-based assignments will make CVE too dependent on the amount of
vulnerability details that are available at the time of a CVE request - and those details vary widely. While it is a
problem for the distros, I have generally had the perspective that it is ultimately their responsibility to track which
portions of a CVE are fixed, and when.
Note - the more fundamental problem here is that CVE is being used much earlier in the disclosure process than it used
to be, and it's basically being used as a universal bug ID. I strongly encourage the Linux community to consider
adopting their own ID scheme.
I made comments similar to this a couple years ago, but I can't easily find the reference right now.
From: Solar Designer [mailto:solar () openwall com]
Sent: Thursday, March 07, 2013 4:19 AM
To: oss-security () lists openwall com
Subject: Re: [oss-security] CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs
On Thu, Mar 07, 2013 at 02:13:37AM -0700, Kurt Seifried wrote:
Bundling the following into a single CVE:
Please use CVE-2012-6138 for these issues.
I think this is wrong. I would understand if those issues were all in
the same subsystem at least (or if you assigned per-subsystem CVE IDs
for these), but this is not the case. Many distros will fix some, but
not the others, or not all at the same time. There's room for a little
bit of bundling here, but not that much.
Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs cve-assign (Mar 14)