Hi, I realize I should have spend more words to explain my concern.
Of course I am aware of the way CVE works and that it is valid to report about deprecated releases. I was more wondering that no request/reviews seem to have happened during the process beyond the actual vulnerability reporting process. Personally I do see an unbalance here that could open a door for abuse. However, this discussion belongs into other channels as it is unrelated to OpenVAS. > Mitre does not provide CVE names only for up-to-date software. CVE names are > asigned to define unique vulnerabilities which occur in any piece of software > (obsolete or up-to-date upstream, it doesn't matter). > > So yes, you might be able to get CVE names for old software versions if you > want to. It is actually up to the assigner of CVE names (in most cases > MITRE, but they also provide "ranges" for producers of software for them to > handle as they see fit) to either provide (or not) a name. > > In any case, since Fedora provided OpenVAS 2.x at least in the past and > Debian does so to it makes sense to have a common CVE name to use in > security advisories sent by distributions and related to this vulnerability. -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
