Merging Core and Extras affecting security updates
Mark J Cox
mjc at redhat.com
Tue Feb 6 11:51:40 UTC 2007
On Sun, 28 Jan 2007, Pavel Kankovsky wrote:
> How much time does it take to get a new CVE number? Hours? Days?
> How do you handle duplicate CVEs? (I don't know how often it happens
> nowadays but they had some duplicate entries in the past.)
Red Hat is a Candidate Naming Authority which means that for issues that
are not already public we can assign names from our pool. Where an issue
is public Mitre usually respond within a day or two. We can get them to
respond faster if it's urgent (like some new issue that's critcial and
going to get a lot of attention)
>> NVD say these are "user complicit" and marked as local.
> I think they got it wrong. See above.
A severity rating system is useless to us if it reaches a level of
complexity where 1) it's unlikely two researchers will assign the same
values given the same conditions and 2) it takes longer to assign a
severity rating than triage and fix the flaw. But based on your comments
we do plan on looking at a sampling of more recent CVSS examples on NVD
again and seeing if they're getting closer to being useful.
Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team
More information about the Fedora-security-list
mailing list