Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F6396C6.8080505@redhat.com>
Date: Fri, 16 Mar 2012 13:38:46 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Mark Stanislav <mark.stanislav@...il.com>
CC: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>
Subject: Re: CVE Requests

On 03/16/2012 12:30 PM, Mark Stanislav wrote:
> 
> Is "VS@" supposed to be vendor-sec; the defunct list? Or is there
> another list I am not aware of? If so, can you please give me the *full*
> address? Thanks.

Sorry it is: http://oss-security.openwall.org/wiki/mailing-lists/distros

> I'd say you may want to coordinate that documentation with Steve Christy
> as the nine times he allocated CVEs for me directly, this sort of
> conversation never came up. I can understand frustration on your part
> that people may not be educated, but realize that if CNAs handle this
> process differently, it may not be a matter of education on how 'the
> system works' but rather consistency within the entire process, agnostic
> of whom is allocating a CVE.

We're working on it.

> I again, do appreciate your time but I suppose I'll just wait for Steve
> or whomever is manning cve@...re to contact me back.

I'm simply loathe to assign CVE's for which I get no details from a
third party especially when they have sent requests in to Mitre already.
How do I know if Mitre has or has not assigned a CVE yet? We basically
end up with a race condition (and duplicates).


> Best,
> 
> -Mark



-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.