What is our SLA for going from reserved CVE to published CVE?
Carlos O'Donell
carlos@redhat.com
Thu May 16 11:16:49 GMT 2024
On 5/16/24 3:21 AM, Adhemerval Zanella Netto wrote:
>
>
> On 15/05/24 20:36, Siddhesh Poyarekar wrote:
>> On 2024-05-15 14:32, Carlos O'Donell wrote:
>>> On 5/2/24 6:46 AM, Florian Weimer wrote:
>>>> * Siddhesh Poyarekar:
>>>>
>>>>> On 2024-05-01 22:12, Carlos O'Donell wrote:
>>>>>> Would it be better if we just published interm text and updated as
>>>>>> we go?
>>>>>
>>>>> The CVE record tends to have a single line description that identifies
>>>>> affected functionality and versions, which I think we should be able
>>>>> to deliver when we reserve the CVE.
>>>>
>>>> I think this would be best, yes.
>>>
>>> Just for clarity, reservation does not require any updates.
>>>
>>> I would have to *publish* the CVE IDs with *minimal* data to meet the CNA rules.
>>>
>>> This includes having a valid public link, which means I need to also commit minimal
>>> text to the advisories/ directory for the link to be valid.
>>>
>>> Are we agreeing to a minimal publishing regime followed by an update?
>>>
>>
>> Yes.
>>
>> Sid
>>
>
> Agreed as well.
>
Done. That is the entire glibc security team in agreement, we'll publish minimal
updates for *public* CVEs to avoid the delay between reservation and publishing.
This allows downstream to be alerted to the issue early. This also means we have
consensus to push advisories/ files with those minimal updates and follow-up with
review of final patches with full text.
--
Cheers,
Carlos.
More information about the Libc-alpha
mailing list