oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 10 Jul 2024 18:14:34 -0700
On 7/10/24 08:06, Pete Allor wrote:

Under CVE rules, Red Hat can only assign a CVE for issues within our scope,
which for most CNAs means their software.   RH has on occasion, provided a
CVE for upstream projects which are not covered by another CNA.  That is
really about a coordination point between multiple parties.


But the scope of Red Hat's CNA explicitly includes all open source projects
included in a Red Hat product:
https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat

and many projects have been told to contact Red Hat to request CVEs over
the years.   I know I've requested and received many CVE's from the
Red Hat CNA for security advisories issued by the X.Org Foundation - far
more than "on occasion".

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: