Re: issue with stuck Mitre CVE requests

[Johannes Segitz <jsegitz () suse de>]

On Wed, Jan 22, 2025 at 12:50:21PM +0100, Greg KH wrote:
> But this topic has come up recently in talking with other open source
> CNA groups.  The "real" solution for it is to talk to a different root
> CNA (i.e. anyone other than MITRE).  For open source projects, that
> _should_ be Red Hat, but I don't know if they yet have a simple way to
> ask for stuff like this, other than the back-channel you probably used
> last time.  I think RH is working to codify this somehow, but I can't
> speak for them.

We considered this and might go this route, but this is mostly for embargoed
issues. For more important vulnerabilities we share them via (linux-)
distros, but it would be IMHO kind of weird to request CVEs for non-public
vulnerabilities from RH.

> Or, better yet, as SUSE is a CNA, why not just assign CVE ids yourself,
> as part of the "open source projects affected in a SUSE product that are
> not covered by any other CNA" rules.  Doesn't your CNA charter allow you
> to do this now?

We're not empowered to do this. We are a CNA for code that we own (e.g.
zypper), but not for arbitrary open source projects.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg
Geschäftsführer: Felix Imendörffer (HRB 36809, AG Nürnberg)

Attachment: signature.asc
Description: Digital signature