Security update process without CVEs

Eric H. Christensen sparks at fedoraproject.org
Tue Jan 21 22:01:00 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Jan 21, 2014 at 04:31:10PM -0500, Eric H. Christensen wrote:
> On Tue, Jan 21, 2014 at 04:26:19PM -0500, Dan Scott wrote:
> > I tried following
> > https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBugs
> > but it appears to depend on waiting on a CVE, which upstream did not
> > yet have... but upstream had already pushed the new release to CPAN.
> 
> You may be able to request the CVE yourself.  I'm trying to contact the guy that handles those things for FOSS but a netsplit is keeping me from talking to him at the moment.

And a response from the CVE guy...

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2014 02:31 PM, Eric H. Christensen wrote:
> On Tue, Jan 21, 2014 at 04:26:19PM -0500, Dan Scott wrote:
>> I tried following
>> https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBugs
>>
>>
but it appears to depend on waiting on a CVE, which upstream did not
>> yet have... but upstream had already pushed the new release to
>> CPAN.

Has upstream requested a CVE yet? If so we'd be waiting on them. If
not you can request one via the OSS-Security list:
oss-security at lists.openwall.com and Mitre should assign one shortly.

> You may be able to request the CVE yourself.  I'm trying to contact
> the guy that handles those things for FOSS but a netsplit is
> keeping me from talking to him at the moment.
>
> -- Eric

- - --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS3u0gAAoJEBYNRVNeJnmT3e4QAKnxrlMTWPycff6+DSOrOEaE
+VhUJVFgXwxT/9bFG8xXZKD/DPY5uigJF+DnLqtlrrLV5nZ3Dz+ZvTV1Vlb5N7xn
Aa7LkmgDxnjVZVyutn77wBwc9Ga63CUTPCRnGQry/Fbshv9+kw7Jl+BERr7BMB/m
z1xN3I98ig4FBnGRvg9SbXQgoQ8KGx8/JLLC1tMle6twK4xPM40FI8lkaG9eXluf
MeyRzNknN2aiaWTL9qlPVw5RI5lJZnoQh+BYGNPiTCQcMH6FTlBAb1+hc7jkbPlL
Lz0NL3g3FBDDXBq5tQ0oKm7q8hr/lF8/4EXhszAMCBXXWS7fxVF43wIXe3LMUmYx
rYWzeuslDx3Sf9sbNPjURUkBif4sOioQ8O0rCbsC4n5iH4hkBH3XMOtJs/f4FsG9
WnTi1lwO6yK0uLsitYZISWBnru42R6o5kw61mygTyv8BbHV1v9gkCALNM3j1nwjB
hQiitonD1fEHvTbXkm6qTpaKk6FmHZVazpAltRrwbfP5PP+a2nH/mfD0HKJx1U5B
CvA4W30uNAnTXAe1H9nmhbnBHJbHXlOFT/zl+V5sRKmuHD5hf5m0/9zAgYOn0h1E
SQZkxbXgCdH9jwWmSGsU9tgxJrMvuGJEr2KOpGVWsUX2bqSxmwqcFQieFa3QXNHF
xjd3bjrT7cF5IgfmZADI
=/7fk

- -----END PGP SIGNED MESSAGE-----

- --Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJS3u4ZAAoJEB/kgVGp2CYvKlIL/18Jk+/1iy9Homrb6CscmfDA
V1+eNhoGAU8CZ8aCvAqzPk4AKktIZ6rdjuGV5axbGJBpCUfYSNRdaP5d/LY9YbNy
cLfC+ShXUjObR8GKtwGaJhLlRZRaeQQte976ZvbntzXVCtwH/CcevNKmah0wpcFf
QuKUToNT7HwQfv5/bRZOOYmwW1SZmRClzqNhExKcPUquZvahfd1NAf8uNopbamKA
TgYzPkQ53Sn/dyfoQTaBKo9OpXsxlv8WxNIAwDRXDx8ZRkGjPZG6h2Xnt0Biuh2M
F+epfd10BhUX9wrj+P2u2ztqWEQUXYCwTKaWGA8QiETrL/dRJ+dzSL+PKGT2/9jJ
CvjStm6Y956hfAFTWCmgbYhf7bTu1mDiOlassQaNOZlMEO37zFl/ZMGP1MR5dYL8
tFAVFjWb4Ucxb0MGlddt3260LPxPFU9xgUaWtk+/+ci774oikQTsZSqfgWx9KbYF
lm6tWLNBBRYDCuLDcNAvICBTrd7WXsJimGoaNBI3Wg==
=ZTKy
-----END PGP SIGNATURE-----


More information about the devel mailing list