[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

On Mon, Nov 30, 2015 at 11:05 AM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
On Sun, 29 Nov 2015 15:11:20 +0000
"Williams, Ken" <Ken.Williams@ca.com> wrote:

Adding a CVE ID 3 months after the publication of an advisory should
only help historians.  In my mind that defeats a main purpose of the
CVE, which is to know if Alice, Bob and Charlie are talking about the
same issue or not.


Except it makes tracking it a lot easier, and many times more than one vendor embeds/ships the affected code, ok, mostly this is an OpenSource world issue, but based on the fact that OpenSource is the under pinning of all Linux, BSD, Mac OS X, Android (basically everything except Windows) it does matter quite a bit. Security issues often crop up again and again as people re-use code. 


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: December 01, 2015