RE: Re: [Red Hat - Possible Forgery] Re: [oss-security] Ruby CVEs

["Christey, Steven M." <coley () mitre org>]

I agree that oss-security is not just for CVE requests (although that's what it feels like sometimes), but duplicate 
CVEs are a pain for everybody.  When posting to oss-security, it's reasonable to say whether CVEs have already been 
requested or not.  There is not a well-established infrastructure or communication channel to closely coordinate CVE 
assignments between MITRE and Kurt.

- Steve


> -----Original Message-----
> From: Reed Loden [mailto:reed () reedloden com]
> Sent: Wednesday, March 20, 2013 5:19 AM
> To: oss-security () lists openwall com
> Cc: kseifried () redhat com; Henri Salo; larry0 () me com; Christey, Steven M.
> Subject: Re: [oss-security] Re: [Red Hat - Possible Forgery] Re: [oss-security]
> Ruby CVEs
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 20 Mar 2013 03:04:30 -0600
> Kurt Seifried <kseifried () redhat com> wrote:
>
> > Please don't send requests to oss-sec if you already sent a request to
> > Mitre/anyone else. Also I don't seem to have these in my emails from
> > Mitre (to VIM list or anywhere else)?
>
> To be fair, this list isn't just for CVE requests... It's for security
> issues in open source software[0]. As somebody who relies on this list
> and others like it to stay on top of current issues, I definitely
> appreciate the notification, even if CVEs have already been assigned. :)
>
> ~reed
>
> [0] http://oss-security.openwall.org/wiki/mailing-lists/oss-security
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAlFJfwsACgkQa6IiJvPDPVqSigCfYT4IEI9+DgyaE3UyPCne1/Vb
> RpkAnAmNO0ivQgqqVQuI6CERrAJULa6L
> =MCHH
> -----END PGP SIGNATURE-----