This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Streamlining CVE assignment for glibc
- From: Florian Weimer <fweimer at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 2 Oct 2015 10:37:17 +0200
- Subject: Streamlining CVE assignment for glibc
- Authentication-results: sourceware.org; auth=none
We have trouble obtaining CVE assignments for already-public
vulnerabilities in glibc.
Here's a recent request to MITRE which has remained unprocessed for weeks:
<http://openwall.com/lists/oss-security/2015/09/08/2>
(This does not affect assignment for privately-reported vulnerabilities.
We can CVE IDs from CNAs such as Red Hat and Debian. However, once an
issue is public, assignment has to go through MITRE.)
I want to change that for glibc, and receive authority (personally, for
myself) to assign IDs for public glibc issues, as they are documented in
Sourcware Bugzilla. I am already familiar with the assignment process,
so I think it's natural that I take care of this matter, but if anyone
else wants to share responsibility for this, I'm happy to collaborate.
I do not plan to make glibc a full CNA, though, which means we need to
rely on other organization's assignment pools in the background (Debian
and Red Hat, for now).
Lack of CVE assignment makes security tracking more complicated, and may
even force downstreams who backport our fixes to release security
advisories without CVE IDs, which in turn causes grief for end users.
What do you think?
Florian