[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9124) CVE-ID?

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9124) CVE-ID?
From: michael@stroeder.com
Date: Fri, 10 Jan 2020 13:57:48 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 1/10/20 2:28 PM, Stephan Zeisberg wrote:
> So far I have not requested a CVE-Id for the issue. That's what Howard
> wrote in this regard:
> 
>> Usual practice for CVEs is not to make them public until fixes are
>> released. In the future, you should tick the Major Security Issue
>> button for potential CVEs so they can be handled privately before
>> release.>
> I am not aware of a release including the bugfix for the issue. If the
> release already exists I am happy to request a CVE-Id for it

First of all, many thanks for finding and submitting issues like this.

Disclaimer: I'm not an official OpenLDAP project member and I'm not an
expert for this CVE-ID process.

>From my understanding you can request a CVE-ID which is kept
confidential until the vendor developed a fix. This is useful to already
have a unique reference for all the work done upstream to fix a
particular security issue and for applying back-port patches to
downstream packages (e.g. in Linux distributions).

Furthermore OpenLDAP's ITS allows to mark an issue as security issue
which hides it from public access.

I read Howard's comment that he meant exactly this.

Ciao, Michael.

Prev by Date: Re: (ITS#9124) CVE-ID?
Next by Date: Re: (ITS#9147) syncrepl connexion leak when provider uses an expired certificate
Index(es):
- Chronological
- Thread