On Thu, 2018-01-25 at 11:05 -0500, Antoine Beaupré wrote: > I'm not sure what to say to nodesecurity.io folks I've already contacted them multiple times in 2014 and once in 2016, about incorporating CVEs into their workflow. The responses were positive but didn't result in much change, except when the issues were sent to oss-sec or Mitre by the Debian security team or myself or others. Most of their recent advisories have CVEs but some don't. I'm guessing the researchers who discovered the issues are getting CVEs. I think the best outcome would be if NodeSecurity could become a CNA so they could issue CVEs immediately with each advisory they send out. https://marc.info/?i=1399944995.3095.25.camel@chianamo https://marc.info/?i=1411952951.6106.20.camel@bonedaddy.net https://marc.info/?l=oss-security&m=139757263925026&w=2 http://www.openwall.com/lists/oss-security/2016/02/20/2 http://www.openwall.com/lists/oss-security/2016/01/12/2 > pabs, did you have any issues in mind that were problematic here > specifically? Here is one example culled from my email archive: http://bugs.debian.org/862712 https://nodesecurity.io/advisories/338 https://security-tracker.debian.org/tracker/862712 It didn't end up getting added to the security tracker, didn't get a CVE and only got fixed in Debian after I filed a bug about it. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part