Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F631572.1020408@op5.se>
Date: Fri, 16 Mar 2012 11:26:58 +0100
From: Andreas Ericsson <ae@....se>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>, 
 Mark Stanislav <mark.stanislav@...il.com>
Subject: Re: CVE Requests

On 03/16/2012 04:41 AM, Kurt Seifried wrote:
> 
> I need the actual info, please refer to:
> 
> http://www.openwall.com/lists/oss-security/2012/03/16/2
> http://www.openwall.com/lists/oss-security/2012/03/15/9
> http://www.openwall.com/lists/oss-security/2012/03/14/6
> http://www.openwall.com/lists/oss-security/2012/03/12/7
> 

Those mails are all exemplary requests for CVE id's, ofcourse, but the
fact that they are all already fixed and released means that 100% of
the work is already done. At that point, assigning a CVE id is mostly
useless and is done as a "just for the record" thing.

The need for unified identifier for a particular issue is greatest
when discussing the problem and its potential solutions; Not how
someone actually solved it after it's already done. If CVE is to become
a thing for changelogs only, all those projects that don't use one
but rely on commit-messages instead won't use CVE id's at all, and the
usefulness of the CVE database dwindles.

-- 
Andreas Ericsson                   andreas.ericsson@....se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.