Re: CVE Request: Security issue in backuppc

[Kurt Seifried <kseifrie () redhat com>]

On 01/04/2012 11:11 AM, Steven M. Christey wrote:
> All,
>
> A new CVE is needed for this.  The new variant SHOULD receive a new
> CVE because there's a different researcher (specifically, Jamie) and
> effectively a different version (probably upstream; also, many distros
> may have already fixed the original CVE-2011-3361).
>
> Blame the CVE content-decision documentation (and me, its author). 
> The current version can cause confusion, people can interpret it in
> different ways, plus there are gaps.  It needs some serious
> restructuring.  (This is why the document's not public.)
>
> Kurt (and other CNAs): the documentation problem is that ADT4 says
> "MERGE", which seems to imply that you should stop, but really you
> should continue to ADT5, which is about splitting based on different
> researchers. ADT4 is there to explicitly cover places where somebody
> might reasonably feel like splitting, but CVE does not.  There are
> also a couple other decision points that aren't documented yet.  You
> should generally fall through *all* the decision points, not just the
> first point that suggests split/merge/consult.  That is, all of ADT1
> through ADT5 should be examined when deciding how to group issues.
>
> - Steve
Ahhh.. I sort of wondered about that but never thought to ask. Derp! You
should probably update that document and post it prominently somewhere,
I know it has helped me a lot.

-- 

-- Kurt Seifried / Red Hat Security Response Team