oss-sec mailing list archives

Re: How to request a CVE for open source projects

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 23 May 2017 08:43:25 -0600



On 2017-05-22 8:28 PM, Perry E. Metzger wrote:

On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
<kseifried () redhat com> wrote:

Primarily, freeform discussion of the sort that occurred on this
list as a natural outcropping of the CVE request process led to
people linking to verification code, temporary mitigations,
highlighting of incomplete fixes, and the sort of information
that was requested earlier in this thread.  This ability to
easily chip in to ongoing situations wasn't just useful for mitre
staff doing CVE work, it was also useful for the "community of
practice" looking for the latest information regarding
self-defense.  I've prevented more than one attack thanks to a
one-off reply from someone in response to a CVE request.

You can still do this. oss-security is a list run by Solar Designer
(openwall.com). I happen to be a long time poster/moderator, but I
have no official control/etc (I don't even block posts, that's up
to solar, I just allow stuff or ignore it when it's up for
moderation).

Maybe after CVEs are assigned the forms could be emailed to the list
as a replacement for the old request emails, to kick off
discussion and alert people to their existence?

Perry

The primary goals of the DWF are:

1) Creating CVE Mentors that can do CVE assignments, train other CVE
Mentors, and help create CNAs
2) Creating CNAs for OpenSource so CVE assignments happen as close to
the vulnerability as possible
3) "retail" CVE assignments (e.g. people using iwantacve.org)
4) Publishing that data to MITRE quickly as per the CNA guidelines, and
the community in general (so at a minimum you can just monitor github,
there may be more options moving forwards)

And that's basically it. If people want to monitor the CVEs the DWF
assigns and run a git to email gateway essentially they are welcome to
assuming they get Solar's approval (it's his list so his rules), but
it's out of scope for the DWF at this point.

If people want the cat to have a nice bell they may have to step up and
actually put a bell on the cat.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

How to request a CVE for open source projects Michael Catanzaro (May 22)
- Re: How to request a CVE for open source projects Marcus Meissner (May 22)
  - Re: How to request a CVE for open source projects Kurt H Maier (May 22)
    - Re: How to request a CVE for open source projects Kurt Seifried (May 22)
    - Re: How to request a CVE for open source projects Kurt H Maier (May 22)
    - Re: How to request a CVE for open source projects Kurt Seifried (May 22)
    - Re: How to request a CVE for open source projects Kurt H Maier (May 22)
    - Re: How to request a CVE for open source projects Kurt Seifried (May 22)
    - Re: How to request a CVE for open source projects Kurt H Maier (May 22)
    - Re: How to request a CVE for open source projects Perry E. Metzger (May 22)
    - Re: How to request a CVE for open source projects Kurt Seifried (May 23)
- Re: How to request a CVE for open source projects Jeremy Stanley (May 22)
- Re: How to request a CVE for open source projects Kurt Seifried (May 22)
  - Re: How to request a CVE for open source projects Martin (May 22)
    - Re: How to request a CVE for open source projects Kurt Seifried (May 22)
- Re: How to request a CVE for open source projects Anthony Sasadeusz (May 22)