[VIM] 267 Missing CVE in Jan, 2013 - please assign

Brian Martin brian at opensecurityfoundation.org
Wed Mar 20 15:11:47 CDT 2013

On Wed, 20 Mar 2013, Kurt Seifried wrote:

: > http://preview.tinyurl.com/2013-01-missing-cve

: How have you confirmed that no cve is assigned? E.g. a quick look and I 
: see at least one for which I assigned CVEs publicly:

The current system makes that time-consuming and 'cost' prohibitive to us. 
There are too many CNAs operating, and the current system is not designed 
to allow a CNA-assigned ID to appear in a central location (e.g. 
cve.mitre.org) to verify. As you mentioned in your previous mail to VIM, 
if a system was in place so we could see the assignment, even if the CVE 
has not been completed (e.g. the text, x-refs to the usual VDBs), that 
would be extremely helpful. Having to wait months to see the actual CVE is 

: http://direct.osvdb.org/show/osvdb/89328
: Piwik Multiple Unspecified XSS
: http://piwik.org/blog/2013/01/piwik-1-10/
: I assigned the CVEs here:
: http://www.openwall.com/lists/oss-security/2013/01/17/15
: based on the same url as you
: (http://piwik.org/blog/2013/01/piwik-1-10/). So I can't simply use
: this list to assign CVE's for the Open Source stuff since it is
: incorrect (e.g. stuff for which you say no CVE is assigned do have

The list isn't "incorrect", we simply missed one (likely a few) CVE 
assignments, again because of the varied places they can pop up for 
initial disclosure. While we follow OSS-Sec almost daily, sometimes the 
delays in assigning via that list (e.g. when there is discussion leading 
up to the assignment) is substantial as well.

: CVE's assigned). I also don't have the time to confirm a CVE was not 
: assigned through some other method (e.g. via Mitre/etc.).

Neither do we. We already spend a *lot* of time trying to get timely CVE 
information added to our entries. So I asked CVE to deal with these 
assignments, not you, or OSS-Sec, or any other CNA.

: Also for the vendor stuff like Apple/Adobe/Google where that vendor is a 
: CNA have you reached out to them to confirm no CVE is assigned and/or 
: get a CVE assigned as needed?

Honestly, no, and it shouldn't be our job to do that. If a CNA is 
releasing security fix information themselves, and not assigning a CVE 
promptly, AND including it in the public source we got the information 
from, then their CNA status should be revoked. They completely miss the 
point of CVE. If Google is a CNA, and there is a security-related 
Chrome/WebKit issue in their tracker, then a CVE should be included with 
it as soon as it is identified as security-related. If that is too much to 
ask, they don't need to be a CNA, when other CNAs (e.g. you) are 
incredibly responsive and very quick to assign.

Using your example above, if a WebKit issue is deemed security related, 
who exactly would issue the CVE in that case, if both Apple and Google are 
CNAs? They both contribute to the project. I don't know about you, but I 
would rather not hold my breath while those two organizations bang their 
heads together for a few days or weeks trying to figure out who gets to 
assign. Google is already doing a MISERABLE job in making their 
vulnerabilities clear. The last 30 days, Carsten Eiram has found an 
incredible number of "Chrome" vulnerabilities that are really WebKit, and 
potentially affect more browsers than just Chrome.

I understand that CVE is strained under the pressure of assignments 
lately, and the last year of board meetings have made it clear that they 
simply can't keep up. Knowing that, I think CVE should focus on 
streamlining the process to assist the community, rather than keep doing 
the same thing. Just like CVSS is on v2, with v3 in the works, CVE needs 
to evolve every couple of years to handle the work load.

Also note that my mail requesting these CVEs was half in jest. Sure, I 
would love to see a CVE assigned for every known issue, but they have made 
it clear that can't happen most likely. Hell, even you have told Debian 
"no" when they gave you a concise list of security issues and asked for 
CVE identifiers. Rather than work through the list, you said they had to 
post to OSS-Sec to request them. I understand your decision to do so, but 
it also speaks to the problem of volume.

Earlier last year I suggested that CVE utilize more CNAs to handle this. I 
still advocate that, but I must ammend my suggestion to include 
"responsible CNAs", as most operating these days are not so helpful.


More information about the VIM mailing list