Re: Submitting multiple CVEs in the same bug report
On Fri, 10 Apr 2009 18:15:06 +0200
sean finney <seanius@debian.org> wrote:
> hi guys,
>
> On Fri, Apr 10, 2009 at 02:27:46PM +0200, Nico Golde wrote:
> > > I ask because I recently submitted a bug on php5 and got pushback from
> > > the maintainer saying that I should not have submitted multiple
> > > vulnerabilites in one report [1].
> >
> > I CCed seanius to this as he was the one who said that. In
> > general there is no consensus about that but just some
> > maintainers prefer that.
>
> i think it's probably a preference thing. however, with php it's a
> very strong preference on my part to have multiple reports:
>
> * often the CVE's themselves are "multiple vulnerabilities", so it's
> already kinda hard to track this.
> * often the CVE's are of wildly different severity
> * sometimes we neglect to immediatley fix some of the lower severity
> CVE's while closing others.
>
> > I personally agree with you, it makes our job a lot easier
> > and the maintainer always has the ability to clone and
> > retitle bugs. However there are some cases in which I
> > refrain from reporting one big report. In case you can
> > subdivide the vulnerabilities in parts which logically fit
> > in the same category I think it makes more sense to split
> > them instead of reporting one huge grave bug.
>
> what's the overhead on the security team's side for this,
> out of curiosity? if it's just the reporting process, maybe
> some kind of CVE-fetching wrapper script could trim that down?
There isn't a whole lot of overhead (sending multiple emails and
entering multiple different bugs into the tracker instead of just one).
There is also the logistical matter of keeping track of the maintainers
that prefer one or the other way. Also, we get a whole chunk of CVEs at
a time and it's easier to deal with them in bulk.
I'm going to add some wording the the security introduction, and I'll
make a note that per-CVE reports are preferred for php.
Mike
Reply to: