CNA Rules Version 4.0 update and impact to glibc CNA?
Carlos O'Donell
carlos@redhat.com
Wed May 8 13:19:55 GMT 2024
Community,
The CNA Rules Version 4.0 will come into effect soon:
https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf
The biggest changes in the rules as noted by the program are:
* CNAs must not consider the type of technology as the sole
basis for determining assignment.
- For glibc we don't care how our users use the library,
we don't even assign a CVSS score because we can't know
how the library is built and integrated downstream.
- This change isn't a particular concern.
* CNA of Last Resort (CNA-LR) can assign if the CNA declines.
The CNAs still get to decide what is "significant harm" in
the v4 rules, and if the issue can cause "significant harm"
then we should assign a CVE ID.
Overall I think the v4 rules, I haven't read the whole set
of changes against the older rules, don't have a major impact.
Please feel free to comment here if you think there is something
else the glibc security team should consider.
--
Cheers,
Carlos.
More information about the Libc-alpha
mailing list