[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

> "Just as a reminder, there's currently no agreement in place between
> the MITRE CVE team and Red Hat that would let Red Hat assign a CVE ID
> for a public report in this way."

I spotted a security advisory come out from my team today which had no CVE 
on it.  What, how is that possible?  We make a big deal about having 
vulnerability identifiers on every vulnerability we fix in a Red Hat 
security advisory, since we started doing this 15-odd years ago.

https://rhn.redhat.com/errata/RHSA-2015-2515.html

My team told me we'd fixed the same issue already in November in different 
products.

A request for a CVE name went to oss-security in October, and repinged in 
November just before the first advisory.

http://seclists.org/oss-sec/2015/q4/358

In the past we'd simply just take something our of CNA and ask for 
forgiveness later, kind of like Kurt did for the issue in this thread.

I figure a security issue being fixed in Red Hat Enterprise Linux is 
something that's going to get a CVE, no matter what reduced inclusion 
criteria may apply (it's not even in an obscure component or some older 
version, this is the latest RHEL and git)

We want to have a vulnerability identifier for every vulnerabilty we know 
we're fixing.  So that means we either keep pinging and calling 
people at Mitre before any similar RHSA, or start to abuse our CNA powers, 
or invent our own temporary CXX prefix for these.

Mark
Page Last Updated or Reviewed: December 16, 2015