[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Quick note on requesting CVEs for public issues
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-07-28 21:40:26
Message-ID: 50145C4A.9010500 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a note if you need CVE's for open source security issues email
oss-security@lists.openwall.com
(http://oss-security.openwall.org/wiki/mailing-lists/oss-security).
Please note that these requests are completely public (anyone can sign
up to the oss-security@ list, the archives are public). This is
generally one of the better ways to request a CVE because everyone
that cares to track CVE #'s will find out about it ASAP, and also
because it is a public request it is unlikely that anyone else will
accidentally or otherwise request a CVE for the same issue resulting
in a duplicate.

Time line: I generally respond to these within one business day, this
means you'll either get a CVE or a request for more information if the
request is not properly formatted or is unclear/missing details/etc.

As far as what goes into the request:

Information for CVE request that is REQUIRED:

    -Email address of requester (so we can contact them)
    -Software name and optionally vendor name
    -At least one of (to determine if this a security issue):
        Type of vulnerability
        Attack outcome
    -For Open Source at least one of:
        Link to vulnerable source code or fix
        Link to source code change log
        Link to security advisory
        Link to bug entry
    -Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
    -If this has been previously requested (i.e. on OSS-Sec or to
cve-assign@mitre.org) please inform me so we can avoid duplicates
    -If multiple issues are listed please list affected versions for
each issue and/or who reported them (so we can determine CVE
split/merge status).

Information for CVE request, REQUESTED:

    -More of the above information of course
    -Software version(s) fixed (if available)
    -Any additional information that helps determine the status of the
flaws/fixes

Examples of CVE entries can be found at http://cve.mitre.org/cve/,
examples of CVE requests can be found in the OSS-sec archives.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQFFxKAAoJEBYNRVNeJnmTcdgQAKuh0shrBkIIgt+XHGQNNsc7
Jv7ZFYGZJmvSMBsZ4nm8S/LlVEV+JQNVFVdRvN/GFndqiEaEv8T6NfryjzIOcwGD
byeNbXyEO+rnuAx51DMBjW8V6LCuYcv6BWOU994IphkumAouB9ZT3GFF3M+OKl+G
qckHjIXlu/mMUCwu2+k/m5i+y6/EmGsgllXTdE1GKt2oOm/FbipO63D8V+OPoRGz
H4o7aayPx5ldmuC+2lBhGbE5qc4QShk6hrrAH77G2NgDu13P3NQWCCNpPTYp7Fkl
r0P77oXHm/x/sbK5EGhobbGECjmpLHiMpzMi+YyXnROHfpwLsPqF4GViAOGlwHFf
fIhaNSLE6O+9h5c2cG7Vl3N4R6D7OyOU1IT+aKJVs0PECOyG0v+NNF+75QLTn+Qa
lO5l3gcrxnWVSZJffRc3lIRSyHcgFO6JMEN8LqRf1Fbneh59stReUnWdsK8tI3UT
i5Kp2CDaZBz7nfr5bpbsKv2v7u3TUm7GdXIZqxY1XdOLsLDKE48Erw44p4HZgH4m
/JVoxrnAXxZJp3iwdB2xgUSRjhEjeNHf4CNsuta4dQvB4ZbCABhZBLCWu5mxUdxo
0hEcRSeEw8uytnv3hKumPSP65zkfSR47+38zcma6+jagTvaBFYybUbFCbYXot/4P
0T3Ywh20IdszvTgMotWy
=Uciz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]