Op 20-09-2023 om 03:39 schreef Jody Garnett:
Follow up to this week's meeting.
As research for GSIP-220 I have made second attempt to update
CVE-2023-35042 via a pull request
<https://github.com/github/advisory-database/pull/2721> to GitHub
advisory database.
As part of the pull-request review the following were updated:
CVE-2023-35042
* https://github.com/advisories/GHSA-59x6-g4jr-4hxc
<https://github.com/advisories/GHSA-59x6-g4jr-4hxc>
And although I cannot quite tell what was changed the original jai-ext
one was updated also:
CVE-2022-24816
* https://github.com/advisories/GHSA-v92f-jx6p-73rx
<https://github.com/advisories/GHSA-v92f-jx6p-73rx>
The process was much more positive/successful then the attempt at
working via MITRE.
The problem is that these changes don't propagate "up"'; unless GH is
the CNA (CVE Numbering Authority == assigner of the CVE) the changes are
on the GH side only and not in the MITRE database
(https://www.cve.org/CVERecord?id=CVE-2023-35042) or the widely used NVD
data/api's (https://nvd.nist.gov/vuln/detail/CVE-2023-35042)
I know the pain of trying to work with Mitre (and Sonatype as well) and
unresponsive reporters; it's very discouraging at best.
Mark
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
