[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] secure UUIDs

On 07/22/2013 06:30 AM, Tim Retout wrote:
> Indeed, in hindsight that would have been better.  :( Apologies.
> What really annoys me about this is that other distros do use the real
> Data::UUID, but I struggled to get a CVE filed - how on earth does one go
> about it?

For free software (like Data::UUID) you'd want to request it on
oss-security at lists.openwall.com.  Kurt Seifried <kseifried at redhat.com>
monitors that list and can assign CVEs.

Kurt likes free software CVE requests to contain pointers to explicit
bug reports, relevant sections of code, revision control commits  (if
any exist) which introduce or fix the bug, and a clear and concise
explanation of the vulnerability.  He issues about a thousand of these
things a year (on top of his other work), and is responsible for making
sure that duplicates aren't issued, etc, so any steps that make it
simpler/easier for him to understand the issue clearly are worth taking.

If you're having trouble getting a CVE from Kurt via that list, please
write me off-list and i can try to help you draft something acceptable.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/427152f7/attachment.sig>

Reply to: