[VIM] 267 Missing CVE in Jan, 2013 - please assign

Brian Martin brian at opensecurityfoundation.org
Wed Mar 20 15:39:01 CDT 2013 

On Wed, 20 Mar 2013, Kurt Seifried wrote:

: > Neither do we. We already spend a *lot* of time trying to get
: > timely CVE information added to our entries. So I asked CVE to deal
: > with these assignments, not you, or OSS-Sec, or any other CNA.
: 
: Ah ok, I generally handle Open Source stuff so I assumed I was wanted 
: =). I also want to go through that list and make sure everything that 
: affects Red Hat is covered (cause that's what I get paid to do =).

As such, I'd imagine you are slowly working through that Debian list for 
Red Hat's benefit, if not as a CNA?

: > Honestly, no, and it shouldn't be our job to do that. If a CNA is 
: > releasing security fix information themselves, and not assigning a
: > CVE promptly, AND including it in the public source we got the
: > information from, then their CNA status should be revoked. They
: > completely miss the
: 
: Agreed. I actually meant more along the lines of "has anyone notified 
: them at all?" in addition to the CVE messy bits. Not all vendors 
: actually bother to read oss-sec/full disclosure/etc on the off chance 
: they get mentioned.

Quite a few of our entries that do not have CVE (historical, not just Jan 
2013) are actually from vendor sources. Changelogs, bug trackers, etc. So 
yes, many of them are aware of the issue, just that they don't know the 
value of getting a CVE or simply don't care.

: > it clear that can't happen most likely. Hell, even you have told
: > Debian "no" when they gave you a concise list of security issues
: > and asked for CVE identifiers. Rather than work through the list,
: > you said they had to
: 
: Cause I'm lazy and already assigning buttloads of CVEs (and again, 
: mostly quality issues, if that list was 100% correct and guarenteed than 
: I could do all the cves in 4 minutes). But most of these lists often 
: need investigation for which I don't have time (5 minutes per requests 
: times 100-200 and boom my week is gone).

Right now, it is taking me a good 15+ minutes per entry to create an ID on 
our side. The time is spent reading the bug report (when possible), 
looking for upstream vendor URL, changelog, etc. One of our biggest 
'problems' when a Linux distro reports/fixes a bug, is that the solution 
is specific to that distro. We have to then check upstream to see if the 
vendor fixed it or not, and mangle accordingly. I don't think that the 
Linux distro is responsible for doing that, don't get me wrong. Just how 
we operate as we create entries based on the 'root cause' as much as 
possible.

: > Earlier last year I suggested that CVE utilize more CNAs to handle
: > this. I still advocate that, but I must ammend my suggestion to
: > include "responsible CNAs", as most operating these days are not so
: > helpful.
: 
: Yeah. One thing i have been thinking about is having specifical people
: take specific projects and handle the CVE requests/make sure they are
: good and then I can assign them way faster. For example WordPress (not
: to pick on them, it's just a widely used package) for which the vendor
: isn't doing CVE requests/etc. and people want them to have CVEs

WordPress and Drupal, by way of their 92384 extensions, and soon to be 
Ruby by way of their 92384 gems, should each have 1 person doing CVE 
assignments. That would make all of our lives a lot easier.

: suddenly we have much better coverage of popular software. So they 
: wouldn't be a CNA, but maybe some sort of semi official "CVE-Requestor" 
: and so for Wordpress I only take requests from that person, and point 
: reporters at them. This way most of the grunt work gets farmed out and 
: done and the CVE assignment no longer need research since it's already 
: been done. Steven: thoughts/comments? If it were quasi official that 
: would probably help.

I've thought about OSVDB becoming a CNA specifically to assign for 
historical issues. That is one area Steve has indicated is too low 
priority for them to deal with. For example, if a 2000 vulnerability still 
does not have an open CVE assigned by 2012, I think it would be safe for 
us to assign one. The odds of duplicates are pretty low, and CVE could 
spot check any of them before officially assigning if they wanted.

But, that is a lot of work for little value, as most people don't care 
about historical like we do.

Brian

More information about the VIM mailing list