Indeed, I am not sure about working with MITRE after our initial poor experience. Maybe if we can push up a link to the project issue or something which we control?
Still the goal of GSIP-220 proposal is to use the GitHub security advisory database to request new CVE numbers. I think it is a worthwhile step for managing known issues and improving interactions. Jody On Wed, Sep 20, 2023 at 5:29 AM mark <mc.pr...@gmail.com> wrote: > Op 20-09-2023 om 03:39 schreef Jody Garnett: > > Follow up to this week's meeting. > > > > As research for GSIP-220 I have made second attempt to update > > CVE-2023-35042 via a pull request > > <https://github.com/github/advisory-database/pull/2721> to GitHub > > advisory database. > > > > As part of the pull-request review the following were updated: > > > > CVE-2023-35042 > > > > * https://github.com/advisories/GHSA-59x6-g4jr-4hxc > > <https://github.com/advisories/GHSA-59x6-g4jr-4hxc> > > > > > > And although I cannot quite tell what was changed the original jai-ext > > one was updated also: > > > > CVE-2022-24816 > > > > * https://github.com/advisories/GHSA-v92f-jx6p-73rx > > <https://github.com/advisories/GHSA-v92f-jx6p-73rx> > > > > > > The process was much more positive/successful then the attempt at > > working via MITRE. > > The problem is that these changes don't propagate "up"'; unless GH is > the CNA (CVE Numbering Authority == assigner of the CVE) the changes are > on the GH side only and not in the MITRE database > (https://www.cve.org/CVERecord?id=CVE-2023-35042) or the widely used NVD > data/api's (https://nvd.nist.gov/vuln/detail/CVE-2023-35042) > > I know the pain of trying to work with Mitre (and Sonatype as well) and > unresponsive reporters; it's very discouraging at best. > > Mark > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
