[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [Xen-security-issues-discuss] Assigning of CVEs to XSAs
A security predisclosure list member wrote, to the mailing list xen-security-issues-discuss, an enquiry about how CVEs are allocated (particularly, the timing). There followed a thread on that list. That message (and the subsequent thread) were off-topic for Xen-security-issues-discuss and should not have been approved. The policy says: | Messages dealing with policy matters will be rejected with a | reference to the Security Team contact address and/or public Xen | mailing lists. It is not appropriate for policy matters to be discussed on the xen-security-issues-discuss list, because that list is not public. Policy discussions should be open to the whole community. Personally I would prefer to publish the whole thread in the interests of transparency, but I think convention prevents me from doing so. But, in summary: The thread comprised 8 messages. The Security Team responded with explanations about the team's current practice in requesting CVE's, which I have quoted/summarised below. There were suggestions for ways to speed up the CVE assignment, but no change to the process resulted. The thread seems to have died out now. Below you can find quotes from the team members' emails. Any changes or improvements to working practices of the Security Team, should not originate in these kind of irregular discussions on xen-security-issues-discuss. If any of the participants of the thread I refer to above would like to raise these questions in public, they are of course welcome to do so. And of course community members (whether predisclosure list members or not) are welcome to email security@xenproject. Thanks, Ian. First message from a security team member about the team's current working practices: CVEs are issued by a third party from whom we must request a number each time we publish an issue. We have no control over the timeliness of their responses and we obviously do not wish to hold up the publication of an advisory waiting for a CVE assignment. When we do receive a CVE allocation for an issue we try and update the advisory promptly. I would recommend likewise that you do not wait for a CVE before publishing once the embargo expires. In the worst case an XSA can be correlated with a CVE using the information at http://xenbits.xen.org/xsa/ until such a time as you choose to update your packages to add it. Second message from a security team member with clarification: > [when does the Xen team request a CVE?] Nowadays we request them automatically with sending out the first version of the pre-disclosure. And there was a third message from a team member confirming that we aim to send out an updated advisory (to the predisclosure list, or publicly, as appropriate) as soon as we receive a CVE assignment. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |