It's interesting that the example given is how the CNCF data for log4j
is better than CVE (ref:
) however the CNCF entry is actually worse, because, for example,
their version comparison incorrectly would flag log4j 2.12.3 as
vulnerable when it isn't.  However the CVE entry that we've been
updating is correct

For the upcoming White House meeting this week (which I'm attending)
in the ASF position paper we mention this CVE agility as being
deliberate and important.


On Tue, 11 Jan 2022 at 14:59, Art Manion <> wrote:
> All,
> I plan to be involved in this event assuming it happens, for both CVE and 
> $dayjob reasons.  I will of course represent CVE but we may want additional 
> involvement, including someone from the Secretariat (MITRE is specifically 
> mentioned).
> Regards,
>   - Art

Reply via email to