On Sun, 9 Aug 2009 21:11:44 +0200 Moritz Muehlenhoff wrote: > On Sun, Aug 09, 2009 at 01:34:21PM -0400, Michael S. Gilbert wrote: > > On Sun, 9 Aug 2009 19:02:49 +0200 Nico Golde wrote: > > > > > Hi, > > > * Michael S. Gilbert <[email protected]> [2009-08-09 18:42]: > > > > On Sun, 9 Aug 2009 13:56:23 +0000 Nico Golde wrote: > > > > > > > > > Author: nion > > > > > Date: 2009-08-09 13:56:23 +0000 (Sun, 09 Aug 2009) > > > > > New Revision: 12531 > > > > > > > > > > Modified: > > > > > data/CVE/list > > > > > Log: > > > > > add todos for new items, please do that as well next time > > > > > > > > > > Modified: data/CVE/list > > > > > =================================================================== > > > > > --- data/CVE/list 2009-08-09 13:55:11 UTC (rev 12530) > > > > > +++ data/CVE/list 2009-08-09 13:56:23 UTC (rev 12531) > > > > > @@ -4,11 +4,13 @@ > > > > > - rubygems <not-affected> > > > > > NOTE: debian's version installs gems packages to /var/lib/gems, > > > > > NOTE: so no opportunity to overwrite system files > > > > > + TODO: request CVE id > > > > > > > > ok, is a mail to oss-sec like yours sufficient? also, i thought there > > > > were going to be some workflow changes where the security team could > > > > autonomously assign a CVE from a pool allocated to debian. are there > > > > any formal plans for that? or would that only be done along with a DSA? > > > > > > Sorry misunderstanding, I was just referring to the TODO > > > entries. Just add those TODOs in the future and you'll be > > > fine. Just want to make sure nothing is missing later. > > > > ok, can and should i go ahead and send the mail to oss-sec also? or are > > only select people in debian supposed to do that? > > We should be careful that IDs are only requested if they've received > a little bit of investigation to prevent bogus issues from receiving > a CVE ID.
i understand the need for care, and i am being careful, but i don't see this as much of a problem. if an issue is subsequently determined to be unimportant, it can just get REJECTED. i'd rather err on the side of caution and get a CVE for all potential security issues so they can be uniquely and globally tracked (and not just within debian). but i will follow your guidelines. if you just want TODOs, then i will just do TODOs. > I guess it depends on where the information is coming from. the sources of the problems i have been reporting are either oss-security, fulldisclosure, or other distro security mailing list. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
