This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Requesting CVEs for glibc security issues

On Mon, May 19, 2014 at 08:46:16AM +0100, Will Newton wrote:
> This doesn't seem to be the case. I am not sure of the
> political/economic motivations behind creating CVEs but it seems the
> onus is on the bug reporter/fixer to request a CVE on the oss-security
> list.

AFAIK for embargoed bugs, distribution maintainers sync up and release
a fix for the bug together before making the issue public.  For bugs
that are already public, security folks on the distribution teams
request a CVE on oss-security.

> In my opinion it would be useful if the glibc project had some
> kind of security person or team which could make sure any security
> bugs are identified and CVEs requested.

The MAINTAINERS page has information on this.

If you have a live exploit or a potential exploit, stick to private
communication with a subset of maintainers till you arrive at a fix.
The subset of maintainers should include the senior folks so that the
potential fix gets early review.

> It would also be useful to do the backports to stable branches of the
> security fix, but at the moment it seems every vendor has their own
> stable branch.

Yes, nobody is using the point releases right now, so there is no real
incentive in maintaining those branches.  This is true for bug fixes
in general, not just security fixes.


Attachment: pgpdS8tcAwbOP.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]