[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-security-issues-discuss] Assigning of CVEs to XSAs



A security predisclosure list member wrote, to the mailing list
xen-security-issues-discuss, an enquiry about how CVEs are allocated
(particularly, the timing).  There followed a thread on that list.

That message (and the subsequent thread) were off-topic for
Xen-security-issues-discuss and should not have been approved.  The
policy says:

  | Messages dealing with policy matters will be rejected with a
  | reference to the Security Team contact address and/or public Xen
  | mailing lists.

It is not appropriate for policy matters to be discussed on the
xen-security-issues-discuss list, because that list is not public.
Policy discussions should be open to the whole community.


Personally I would prefer to publish the whole thread in the interests
of transparency, but I think convention prevents me from doing so.
But, in summary:

The thread comprised 8 messages.  The Security Team responded with
explanations about the team's current practice in requesting CVE's,
which I have quoted/summarised below.  There were suggestions for ways
to speed up the CVE assignment, but no change to the process resulted.
The thread seems to have died out now.  Below you can find quotes from
the team members' emails.


Any changes or improvements to working practices of the Security Team,
should not originate in these kind of irregular discussions on
xen-security-issues-discuss.

If any of the participants of the thread I refer to above would like
to raise these questions in public, they are of course welcome to do
so.

And of course community members (whether predisclosure list members or
not) are welcome to email security@xenproject.

Thanks,
Ian.


First message from a security team member about the team's current
working practices:

  CVEs are issued by a third party from whom we must request a number each
  time we publish an issue. We have no control over the timeliness of
  their responses and we obviously do not wish to hold up the publication
  of an advisory waiting for a CVE assignment.

  When we do receive a CVE allocation for an issue we try and update the
  advisory promptly.

  I would recommend likewise that you do not wait for a CVE before
  publishing once the embargo expires. In the worst case an XSA can be
  correlated with a CVE using the information at
  http://xenbits.xen.org/xsa/ until such a time as you choose to update
  your packages to add it.

Second message from a security team member with clarification:

  > [when does the Xen team request a CVE?]

  Nowadays we request them automatically with sending out the first
  version of the pre-disclosure.

And there was a third message from a team member confirming that we
aim to send out an updated advisory (to the predisclosure list, or
publicly, as appropriate) as soon as we receive a CVE assignment.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.