--Apple-Mail=_48434224-5A5C-4683-A46C-18EA737A8935 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Fri, Nov 13, 2020 at 01:33:31PM +0100, Hanno B=C3=B6ck wrote: >> 3 years ago I reported a heap overflow vulnerability in raptor, an = RDF >> parsing library: >> https://www.openwall.com/lists/oss-security/2017/06/07/1 = ,,, >> Maybe noteworthy is that this didn't get a CVE in 2017. It seems many >> distros rely on CVEs to get a process of backporting fixes rolling. >> Given the fluctuating reliability of CVE assignments not sure this is >> wise. I have now requested a CVE (CVE-2017-18926). ... > On Nov 14, 2020, at 6:58 AM, Marcus Meissner wrote: > I think the only thing you can do additional is to request a CVE. >=20 > All tracking by everyone is using CVEs, this is the core identifier > of the software security world. I think this is key. If you find a vulnerability, you typically need to = ensure that it gets a CVE assigned if you want coordination & resolution to happen. It's how = coordination happens. There are issues with CVEs, but I=E2=80=99ve never seen a CVE assignment get dropped in recent years once it was requested properly. Delayed, yes, but I know CVE assignments don=E2=80=99t take 3 years :-). And yes, there are special issues with the Linux kernel, but this = package isn=E2=80=99t the Linux kernel. If you think that CVE assignment is still of =E2=80=9Cfluctuating = reliability=E2=80=9D I=E2=80=99d like to hear that argument and get it fixed. It=E2=80=99s normally better to fix the standard = process for doing something than to create yet another process that runs in parallel. I=E2=80=99ve seen = no recent evidence of this reliability issue. Sing this (to =E2=80=9CSingle Ladies=E2=80=9D): "If you like it, then you shoulda put a CVE on it...:" --- David A. Wheeler --Apple-Mail=_48434224-5A5C-4683-A46C-18EA737A8935--