[Secure-testing-team] [Secure-testing-commits] r12531 - data/CVE

Michael S. Gilbert michael.s.gilbert at gmail.com
Mon Aug 10 03:12:48 UTC 2009 

On Sun, 9 Aug 2009 21:11:44 +0200 Moritz Muehlenhoff wrote:

> On Sun, Aug 09, 2009 at 01:34:21PM -0400, Michael S. Gilbert wrote:
> > On Sun, 9 Aug 2009 19:02:49 +0200 Nico Golde wrote:
> > 
> > > Hi,
> > > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-09 18:42]:
> > > > On Sun,  9 Aug 2009 13:56:23 +0000 Nico Golde wrote:
> > > > 
> > > > > Author: nion
> > > > > Date: 2009-08-09 13:56:23 +0000 (Sun, 09 Aug 2009)
> > > > > New Revision: 12531
> > > > > 
> > > > > Modified:
> > > > >    data/CVE/list
> > > > > Log:
> > > > > add todos for new items, please do that as well next time
> > > > > 
> > > > > Modified: data/CVE/list
> > > > > ===================================================================
> > > > > --- data/CVE/list	2009-08-09 13:55:11 UTC (rev 12530)
> > > > > +++ data/CVE/list	2009-08-09 13:56:23 UTC (rev 12531)
> > > > > @@ -4,11 +4,13 @@
> > > > >  	- rubygems <not-affected>
> > > > >  	NOTE: debian's version installs gems packages to /var/lib/gems,
> > > > >  	NOTE: so no opportunity to overwrite system files
> > > > > +	TODO: request CVE id
> > > > 
> > > > ok, is a mail to oss-sec like yours sufficient?  also, i thought there
> > > > were going to be some workflow changes where the security team could
> > > > autonomously assign a CVE from a pool allocated to debian.  are there
> > > > any formal plans for that?  or would that only be done along with a DSA?
> > > 
> > > Sorry misunderstanding, I was just referring to the TODO 
> > > entries. Just add those TODOs in the future and you'll be 
> > > fine. Just want to make sure nothing is missing later.
> > 
> > ok, can and should i go ahead and send the mail to oss-sec also?  or are
> > only select people in debian supposed to do that?
> 
> We should be careful that IDs are only requested if they've received
> a little bit of investigation to prevent bogus issues from receiving
> a CVE ID. 

i understand the need for care, and i am being careful, but i don't see
this as much of a problem.  if an issue is subsequently determined to be
unimportant, it can just get REJECTED. i'd rather err on the side of
caution and get a CVE for all potential security issues so they can be
uniquely and globally tracked (and not just within debian).

but i will follow your guidelines.  if you just want TODOs, then i will
just do TODOs.

> I guess it depends on where the information is coming from.

the sources of the problems i have been reporting are either
oss-security, fulldisclosure, or other distro security mailing list.

mike

More information about the Secure-testing-team mailing list