lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50145C4A.9010500@redhat.com>
Date: Sat, 28 Jul 2012 15:40:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Quick note on requesting CVEs for public issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a note if you need CVE's for open source security issues email
oss-security@...ts.openwall.com
(http://oss-security.openwall.org/wiki/mailing-lists/oss-security).
Please note that these requests are completely public (anyone can sign
up to the oss-security@ list, the archives are public). This is
generally one of the better ways to request a CVE because everyone
that cares to track CVE #'s will find out about it ASAP, and also
because it is a public request it is unlikely that anyone else will
accidentally or otherwise request a CVE for the same issue resulting
in a duplicate.

Time line: I generally respond to these within one business day, this
means you'll either get a CVE or a request for more information if the
request is not properly formatted or is unclear/missing details/etc.

As far as what goes into the request:

Information for CVE request that is REQUIRED:

    -Email address of requester (so we can contact them)
    -Software name and optionally vendor name
    -At least one of (to determine if this a security issue):
        Type of vulnerability
        Attack outcome
    -For Open Source at least one of:
        Link to vulnerable source code or fix
        Link to source code change log
        Link to security advisory
        Link to bug entry
    -Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
    -If this has been previously requested (i.e. on OSS-Sec or to
cve-assign@...re.org) please inform me so we can avoid duplicates
    -If multiple issues are listed please list affected versions for
each issue and/or who reported them (so we can determine CVE
split/merge status).

Information for CVE request, REQUESTED:

    -More of the above information of course
    -Software version(s) fixed (if available)
    -Any additional information that helps determine the status of the
flaws/fixes

Examples of CVE entries can be found at http://cve.mitre.org/cve/,
examples of CVE requests can be found in the OSS-sec archives.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQFFxKAAoJEBYNRVNeJnmTcdgQAKuh0shrBkIIgt+XHGQNNsc7
Jv7ZFYGZJmvSMBsZ4nm8S/LlVEV+JQNVFVdRvN/GFndqiEaEv8T6NfryjzIOcwGD
byeNbXyEO+rnuAx51DMBjW8V6LCuYcv6BWOU994IphkumAouB9ZT3GFF3M+OKl+G
qckHjIXlu/mMUCwu2+k/m5i+y6/EmGsgllXTdE1GKt2oOm/FbipO63D8V+OPoRGz
H4o7aayPx5ldmuC+2lBhGbE5qc4QShk6hrrAH77G2NgDu13P3NQWCCNpPTYp7Fkl
r0P77oXHm/x/sbK5EGhobbGECjmpLHiMpzMi+YyXnROHfpwLsPqF4GViAOGlwHFf
fIhaNSLE6O+9h5c2cG7Vl3N4R6D7OyOU1IT+aKJVs0PECOyG0v+NNF+75QLTn+Qa
lO5l3gcrxnWVSZJffRc3lIRSyHcgFO6JMEN8LqRf1Fbneh59stReUnWdsK8tI3UT
i5Kp2CDaZBz7nfr5bpbsKv2v7u3TUm7GdXIZqxY1XdOLsLDKE48Erw44p4HZgH4m
/JVoxrnAXxZJp3iwdB2xgUSRjhEjeNHf4CNsuta4dQvB4ZbCABhZBLCWu5mxUdxo
0hEcRSeEw8uytnv3hKumPSP65zkfSR47+38zcma6+jagTvaBFYybUbFCbYXot/4P
0T3Ywh20IdszvTgMotWy
=Uciz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ