| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jul 2012 15:40:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Quick note on requesting CVEs for public issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just a note if you need CVE's for open source security issues email
oss-security@...ts.openwall.com
(http://oss-security.openwall.org/wiki/mailing-lists/oss-security).
Please note that these requests are completely public (anyone can sign
up to the oss-security@ list, the archives are public). This is
generally one of the better ways to request a CVE because everyone
that cares to track CVE #'s will find out about it ASAP, and also
because it is a public request it is unlikely that anyone else will
accidentally or otherwise request a CVE for the same issue resulting
in a duplicate.
Time line: I generally respond to these within one business day, this
means you'll either get a CVE or a request for more information if the
request is not properly formatted or is unclear/missing details/etc.
As far as what goes into the request:
Information for CVE request that is REQUIRED:
-Email address of requester (so we can contact them)
-Software name and optionally vendor name
-At least one of (to determine if this a security issue):
Type of vulnerability
Attack outcome
-For Open Source at least one of:
Link to vulnerable source code or fix
Link to source code change log
Link to security advisory
Link to bug entry
-Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
-If this has been previously requested (i.e. on OSS-Sec or to
cve-assign@...re.org) please inform me so we can avoid duplicates
-If multiple issues are listed please list affected versions for
each issue and/or who reported them (so we can determine CVE
split/merge status).
Information for CVE request, REQUESTED:
-More of the above information of course
-Software version(s) fixed (if available)
-Any additional information that helps determine the status of the
flaws/fixes
Examples of CVE entries can be found at http://cve.mitre.org/cve/,
examples of CVE requests can be found in the OSS-sec archives.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJQFFxKAAoJEBYNRVNeJnmTcdgQAKuh0shrBkIIgt+XHGQNNsc7
Jv7ZFYGZJmvSMBsZ4nm8S/LlVEV+JQNVFVdRvN/GFndqiEaEv8T6NfryjzIOcwGD
byeNbXyEO+rnuAx51DMBjW8V6LCuYcv6BWOU994IphkumAouB9ZT3GFF3M+OKl+G
qckHjIXlu/mMUCwu2+k/m5i+y6/EmGsgllXTdE1GKt2oOm/FbipO63D8V+OPoRGz
H4o7aayPx5ldmuC+2lBhGbE5qc4QShk6hrrAH77G2NgDu13P3NQWCCNpPTYp7Fkl
r0P77oXHm/x/sbK5EGhobbGECjmpLHiMpzMi+YyXnROHfpwLsPqF4GViAOGlwHFf
fIhaNSLE6O+9h5c2cG7Vl3N4R6D7OyOU1IT+aKJVs0PECOyG0v+NNF+75QLTn+Qa
lO5l3gcrxnWVSZJffRc3lIRSyHcgFO6JMEN8LqRf1Fbneh59stReUnWdsK8tI3UT
i5Kp2CDaZBz7nfr5bpbsKv2v7u3TUm7GdXIZqxY1XdOLsLDKE48Erw44p4HZgH4m
/JVoxrnAXxZJp3iwdB2xgUSRjhEjeNHf4CNsuta4dQvB4ZbCABhZBLCWu5mxUdxo
0hEcRSeEw8uytnv3hKumPSP65zkfSR47+38zcma6+jagTvaBFYybUbFCbYXot/4P
0T3Ywh20IdszvTgMotWy
=Uciz
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists