This shows you the differences between two versions of the page.
|
disclosure:cve [2014/06/05 02:52] solar link to Kurt's howto |
disclosure:cve [2026/04/20 01:33] (current) solar updated with content form https://www.openwall.com/lists/oss-security/2026/04/19/2 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== CVE ===== | ===== CVE ===== | ||
| - | Common Vulnerabilities and Exposures ([[http://cve.mitre.org/|CVE]]) IDs are a unique identifiers given to security flaws. The [[http://cve.mitre.org/about/faqs.html#a1|CVE FAQ]] describes it best. CVE has be come a //de facto// standard for identifying vulnerabilities and security flaws. | + | Common Vulnerabilities and Exposures ([[https://www.cve.org]]) IDs are a unique identifiers given to security flaws. The CVE FAQ described it best. CVE has be come a //de facto// standard for identifying vulnerabilities and security flaws. |
| A1. What is CVE? | A1. What is CVE? | ||
| Line 10: | Line 10: | ||
| ===== Obtaining a CVE id ===== | ===== Obtaining a CVE id ===== | ||
| - | CVE monitors common vulnerability disclosure sources and assigns CVEs as new vulnerabilities are reported. To obtain a CVE before public disclosure, contact CVE or another CVE Numbering Authority ([[http://cve.mitre.org/cve/cna.html|CNA]]). CVE IDs for publicly-disclosed vulnerabilities in Open Source software are best obtained by posting a request to the [[:mailing-lists/oss-security|oss-security mailing list]]. | + | oss-security has not been used for CVE assignment requests since 2017: |
| + | https://www.openwall.com/lists/oss-security/2017/02/09/7 | ||
| - | See also: | + | To request a CVE be assigned for open source software that's not covered |
| + | by a specific CNA you can submit a request to either MITRE or the Red Hat | ||
| + | open source CNA: | ||
| - | * [[http://cve.mitre.org/about/faqs.html#a13|A13. I discovered a new vulnerability or exposure. How can I obtain a CVE number?]] | + | - https://www.cve.org/ReportRequest/ReportRequestForNonCNAs |
| - | * [[https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html|CVE OpenSource Request HOWTO]] by Kurt Seifried | + | - https://access.redhat.com/articles/red_hat_cve_program |
| - | + | ||
| - | ===== Information for CVE request===== | + | |
| - | + | ||
| - | ==== Required ==== | + | |
| - | + | ||
| - | - Email address of requester (so we can contact them) | + | |
| - | - Software name and optionally vendor name | + | |
| - | - At least one of (to determine is this a security issue): | + | |
| - | - Type of vulnerability | + | |
| - | - Exploitation vectors | + | |
| - | - Attack outcome | + | |
| - | - For Open Source at least one of: | + | |
| - | - Link to vulnerable source code or fix | + | |
| - | - Link to source code change log | + | |
| - | - Link to security advisory | + | |
| - | - Link to bug entry | + | |
| - | - Request comes from project member (a.k.a. "trust me, it's a problem") | + | |
| - | - Affected version(s) (3.2.4, 3.x, current version, all current releases, something) | + | |
| - | - Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign) | + | |
| - | - Is this an Open Source or commercial software request | + | |
| - | - Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to distros@?) | + | |
| - | - If multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge). | + | |
| - | + | ||
| - | ==== REQUESTED ==== | + | |
| - | + | ||
| - | - More of the above information of course | + | |
| - | - Software version(s) fixed (if available) | + | |
| - | - For closed source any of the information from "For Open Source at least one of:" | + | |
| - | - Any additional information | + | |