oss-sec mailing list archives

Re: issue with stuck Mitre CVE requests

From: Johannes Segitz <jsegitz () suse de>
Date: Mon, 27 Jan 2025 09:13:28 +0100

On Sat, Jan 25, 2025 at 01:24:36AM +0000, Mark Esler wrote:

On Wed, Jan 22, 2025 at 03:18:10PM +0100, Johannes Segitz wrote:

We're not empowered to do this. We are a CNA for code that we own (e.g.
zypper), but not for arbitrary open source projects.


The text of SUSE's scope [0] is similar to Canonical's [1]. We
understand "All Canonical issues (including Ubuntu Linux) only" as
including all software we distribute. It does not require us to be the
author of that code.


Interesting. I'll reach out to MITRE to clarify this and will report back
(might take a while, I'll be away for some weeks starting tomorrow). When I
was introduced to this > 10 years ago I was told not to allocate for
anything for which we're not clearly upstream.

Johannes
-- 
GPG Key                EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)

Attachment: signature.asc
Description: Digital signature

Current thread:

issue with stuck Mitre CVE requests Matthias Gerstner (Jan 22)
- Re: issue with stuck Mitre CVE requests Greg KH (Jan 22)
  - Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 22)
    - Re: issue with stuck Mitre CVE requests Mark Esler (Jan 24)
    - Re: issue with stuck Mitre CVE requests Johannes Segitz (Jan 27)
    - Re: issue with stuck Mitre CVE requests Pete Allor (Jan 27)
  - Re: issue with stuck Mitre CVE requests Pedro Sampaio (Jan 22)
- Re: issue with stuck Mitre CVE requests Matthias Gerstner (Jan 23)
  - Re: issue with stuck Mitre CVE requests Pete Allor (Jan 23)