This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.

From: Florian Weimer <fweimer at redhat dot com>
To: Joseph Myers <joseph at codesourcery dot com>
Cc: "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, Aurelien Jarno <aurelien at aurel32 dot net>, Mike Frysinger <vapier at gentoo dot org>, Allan McRae <allan at archlinux dot org>, Siddhesh Poyarekar <sid at reserved-bit dot com>, Andreas Schwab <schwab at suse dot de>, "Dmitry V. Levin" <ldv at altlinux dot org>, Khem Raj <raj dot khem at gmail dot com>, Adam Conrad <adconrad at 0c3 dot net>
Date: Thu, 22 Oct 2015 16:18:42 +0200
Subject: Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
Authentication-results: sourceware.org; auth=none
References: <5627D1F7 dot 8030908 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212023070 dot 7778 at digraph dot polyomino dot org dot uk> <5627FA90 dot 6080609 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1510212056540 dot 7778 at digraph dot polyomino dot org dot uk>

On 10/21/2015 11:05 PM, Joseph Myers wrote:
> I think we had consensus for Florian to assign CVEs for public security 
> bugs as per <https://sourceware.org/ml/libc-alpha/2015-10/msg00034.html> 

I'm still trying to get permission from MITRE to do this.  I have yet to
receive any kind of response from them.

At present, MITRE does not assign CVE IDs for glibc security
vulnerabilities within a reasonable time frame.  The CVE pools at
Debian, Red Hat, and other distributions can only be used for
not-yet-public issues (but we can make vulnerabilities public
immediately after CVE assignment if the impact is not critical).

Reporters generally want CVE IDs (to list them on their CVs etc.), and
they are really helpful for tracking vulnerabilities downstream.  Right
now, we can get such IDs only if vulnerabilities are reported privately.
 I hope this will change eventually, but in the meantime, in order to
match reporter expectations regarding CVE assignment (and downstream
requirements), we need to nudge them towards private reporting, to the
downstream security contacts listed on the Security Process page.

Florian

References:
- Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Carlos O'Donell
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Joseph Myers
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Carlos O'Donell
- Re: Consensus: Security Hall of Fame, Security issue attributions, NEWS, and Contribution Checklist.
  - From: Joseph Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]