[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2017-7269 and abandonware

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of 
> the
> flaws existence. And like G.I. Joe says "knowing is half the battle". 

Yes, cases like this should get CVE IDs.  My question was who assigns
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org
> <mailto:ccoffin@mitre.org>> wrote:
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and 
> received
>     a case number. However, they were told that the 
> unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
>     Yes. We should always give them the opportunity and redirect to 
> them
>     first if they exist. If they refuse, then a next available CNA 
> could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says
no or does not respond in a reasonable period of time, requestor has
email evidence to support this exchange?

 - Art

Page Last Updated or Reviewed: March 30, 2017