Re: DSU

["Steven M. Christey" <coley () mitre org>]

Ran across this old thread, and decided to answer since this topic
crops up now and then.

> >  = pageexec () freemail hu
> = Florian Weimer


> > nice try but then how do you explain the following:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2448
>
> The CVE name likely likely comes from a CNA pool.  In this case, the
> assignment date has *nothing* to do with the discovery date.

Florian is right.  The "assigned" date is literally when we allocate a
CVE number and add it to our database, even for reserved candidates.
In this case, the candidate was part of a pool of reserved candidates
given to the Red Hat CNA (Candidate Numbering Authority), so the
assigned date is when we created that pool.  We rarely have any
insight as to when a CNA links one of its own CVEs to a specific
issue.

> my point was, once again, that at the time the commit was made, its
> full impact was well known, yet it was not mentioned *at all*
> (regardless of when the CVE entry was created, though i bet it
> happened before the git commit).

I can't speak for when the distros knew about this issue relative to
the git commit, and I don't remember what CVE knew about this and
when.  However, 95% of CVE's that come from a CNA are news to us when
they become public.  One of the benefits of using a CNA is that it
removes MITRE from the disclosure loop, both for speed and to respect
whatever pre-disclosure embargoes are in place.

- Steve
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave