Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 11 Oct 2014 20:13:15 -0600
From: Kurt Seifried <>
Subject: Re: Re: Request for CVE assignment for tigervnc affected
 by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver

On 11/10/14 03:59 PM, wrote:
> First, in general, when asking for a CVE assignment for an issue
> "similar" to an existing CVE, it is very useful to provide an
> additional statement or reference indicating why the issue should not
> be mapped to the existing CVE. A difference in the product name does
> not always require a separate CVE.

Agreed. One pain point i have encountered with CVE SPLIT/MERGE is the
"when is a code fork a fork, or just a normal fork?" E.g. sometimes it's
easy: like one week after the MariaDB fork from MySQL it's obvious that
any flaw affecting one will affect the other and they're basically the
same code, but as time goes on MariaDB is diverging. One thing that
would be hugely useful here to solve the CVE MERGE problem, and to let
people know what related software packages they should look at would be
a database of code considered "equivalent" by Mitre for the purposes of
CVE MERGE and also for people to check if other things are affected by
the same flaw.

I suspect there aren't actually that many entries, and populating it as
they come up would be pretty simple, especially if there's an easy way
to submit entries (just send an email?).  Would this be something Mitre
can do perhaps?

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.