[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE assignment from previous years
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-12-21 0:11:12
Message-ID: 4EF12420.6070605 () redhat ! com
[Download RAW message or body]
On 12/20/2011 11:07 AM, Steven M. Christey wrote:
>
> Note that the year does NOT include when the vuln was found (and if it
> was silently fixed, that's not a factor either).
>
> The year is almost always obtained from either:
>
> 1) When the CVE was first privately reserved. We already have more than
> two hundred CVE-2012-XXXX numbers reserved for various CNAs who are
> using them to coordinate disclosures that are scheduled to
> happen in 2012. This date often correlates with the year that the
> vuln
> was found, but not always.
>
> 2) When the issue was first made public. There can be some disagreement
> about when a vuln is first published (e.g. a bug report may lie
> unresolved, technically viewable by anybody, for a few years before it
> reaches general awareness, or something might be published on December
> 31 in one part of the world when it is January 1 in another part of
> the
> world.)
>
> Some CNAs who have a pool of CVEs from one year, will continue to use
> that pool in the next year if there are any CVEs left over, though I
> generally discourage it.
>
> In January and February 2012, you will probably still see a fairly
> large number of new CVE-2011-xxxx identifiers released, as MITRE/etc.
> assign CVEs to issues that were first published in 2011.
>
> - Steve
>
Steven is correct and I was wrong (as usual =) Please ignore what I
said previously.
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic