[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: cmsmadesimple before 1.11.8 / bad upstream behaviour vs. CVE assignm
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-10-21 20:10:53
Message-ID: 52658A4D.6040305 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2013 01:20 PM, Hanno Böck wrote:
> Hi,
> 
> I want to request a CVE, but also start some discussion about how
> to handle such issues.
> 
> The release notes for cmsmadesimple 1.11.8 mention a security
> issue: 
> http://www.cmsmadesimple.org/announcing-cmsms-1-11-8-fioreana/ 
> "This release brings a few minor features, some performance 
> improvements, documentation improvements, a Smarty upgrade, and a 
> number of bug fixes (including a minor security issue)."
> 
> Now, this is all the information you get. Nothing about the kind
> of security issue, let alone a bug nr or commit. The question is:
> What do we do with such shitty upstream behaviour?
> 
> Last time I reported something alike I was told that I should
> provide more info. The question is: How?
> 
> Sure, I could diff the release to the release before or try to
> find some repository and read all the commits in the timeframe. But
> I'm not getting paid for this, I merely want to improve overall
> security of free software voluntarily.
> 
> So how will we proceed with such stuff? In the past, we often had
> "CVE for unknown security issue in xxx"-alike assignments.
> 
> cu,
> 

Yeah, maybe if we can incentivize this research, e.g. give people
credit or something, not for discovering the issue but for researching
it and posting the details/diff/whatever. In general if no details are
available unless there's some reason not to, I would generally hand
these over to Mitre to deal with.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSZYpNAAoJEBYNRVNeJnmTah4P/11dpXzYiiNhg0SsUf69U5un
exRZfItnH8EWJcZDhIZAdiIDbBwqAkiTIKGoL4nek+bn8j/cDKmxdt528tutjn63
fxlLbGvmeuT4QBWqFa0cGuuofj1TjftTgwkGGxi6BW2stnbCHWf7AtVYgJ5rI8NH
rcjYIOJoM8jYxlNXAViglYYsCoXs+XmV/Vja19fvE7ji7xJ1PrAclZ3DhwarOIQZ
s4bDjebsSs3yq5x7Mn3Wp7E5dA4+RvjYgw7f2IA+S94dzsWq/NQI0j8mZfG38eK9
zT2wANHHE8RfFjDSlgjgXk27yvxG7d5ATSr8wL3cklLfEa5YxsD0/PSXxpDFkVsa
DosaocolygV4YfoPjYhutrUsVj0o9ELfx5Zhtj74/0DGMWbPNIgGJtSVBb89Wyky
V1nIX3ApzpyQWvB9kp7AF+BpPjuB874mK7X5ckxy/Vz3a+IqPP9zJHVG/G8rzslM
pP7VcH+VK62t91JUfsARchjDvxmMwp/4VnBGEfL+eChwYoDKCTXWoE0e2slRdpgC
4T09ZLAwP8W6+D69UcxhbtgqcgsAJhKBtvilV2BGPZOWkmftF8qZTmkjF9cezhyT
j3aBLVhG1YszJ8z+LXZT14NYcIjCRMFIpo0/aYlQiExMe+MFBJZx9lay91THFfnB
K06Hkj5n2b/Bs+t65r6y
=GvzO
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]