[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Contributing Back
From:       Zhang Xiao <xiao.zhang () windriver ! com>
Date:       2020-07-28 2:46:22
Message-ID: c7838a1a-1894-4679-06fb-23006f526bdc () windriver ! com
[Download RAW message or body]


=E5=9C=A8 2020/7/23 =E4=B8=8B=E5=8D=887:56, Solar Designer =E5=86=99=E9=81=
=93:
> On Thu, Jul 23, 2020 at 01:51:17PM +0530, Mohammad Tausif Siddiqui wrote:
>> I think the ball is on the CNA: Hackerone side to get it published to
>> MITRE, so that they can show it up on their page.
>>
>> CNAs are provided with weekly reports by the root CNA: MITRE, which list=
s
>> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whethe=
r
>> the CVE was assigned on distros list or elsewhere. That closes the remin=
der
>> loop.
>>
>> There's no pull request for CVE-2020-8177 at
>> https://github.com/CVEProject/cvelist/pulls
>> We cannot determine if they used the alternative, web form:
>> https://cveform.mitre.org/
>>
>> You may want to reach Hackerone from the CNA contacts
>> <https://cve.mitre.org/cve/request_id.html#cna_participants>, for this
>> exception of delay.
> Most of the above is once again too specific to the given CVE ID,
> whereas we need a general understanding of whether the task Xiao
> proposes and volunteers for is worthwhile or not.  I'd appreciate a
> direct answer to that.
>
> Do I interpret this paragraph correctly as implying the answer is no? -
>
>> CNAs are provided with weekly reports by the root CNA: MITRE, which list=
s
>> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whethe=
r
>> the CVE was assigned on distros list or elsewhere. That closes the remin=
der
>> loop.
> In other words, CNAs receive their reminders from MITRE weekly, so
> there's no need for anyone else reminding them, correct?  However, can
> it happen that MITRE wouldn't recognize a CVE ID as "Reserved But
> Public", continuing to treat it as merely reserved, in which case there
> would be no reminder to correct that?  Could Xiao help with this?

Till now both CVE-2020-8177 and CVE-2020-8169 are still "reserved". I
believe it is valuable to remind them and I am glad to do it, but I just
realize I don't know how to make it.

I tried two methods but none of them works. Anyone can give me any
advises to make it?


Thanks

Xiao


> Alexander

["pEpkey.asc" (application/pgp-keys)]

[prev in list] [next in list] [prev in thread] [next in thread]