Submitting multiple CVEs in the same bug report

To: debian-security-tracker@lists.debian.org
Subject: Submitting multiple CVEs in the same bug report
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Thu, 9 Apr 2009 22:58:26 -0400
Message-id: <[🔎] 20090409225826.61dee3fe.michael.s.gilbert@gmail.com>

Hello,

What is the modus operandi for submitting multiple CVEs in the same bug
report?

I ask because I recently submitted a bug on php5 and got pushback from
the maintainer saying that I should not have submitted multiple
vulnerabilites in one report [1].

>From my perspective, being able to submit multiple vulns makes the job
of the security team (and assistants) much easier and straightforward.
And if the maintainer prefers to track vulnerabilities individually,
then they always have the option to do so at their own leisure (via
cloning).

It may be useful to state this as the common practice/policy in the
security-tracker overview doc.  If there are no objections, I will
modify the wording to include such a statement.

Thanks,
Mike

[1] http://bugs.debian.org/523028

Reply to:

Follow-Ups:
- Re: Submitting multiple CVEs in the same bug report
  - From: Nico Golde <nico@ngolde.de>

Prev by Date: Re: DSAs really missing from the tracker
Next by Date: Re: Submitting multiple CVEs in the same bug report
Previous by thread: Re: DSAs really missing from the tracker
Next by thread: Re: Submitting multiple CVEs in the same bug report
Index(es):
- Date
- Thread