Re: How to track vulnerability fixes

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

since nobody else answered:

Sandeep Umesh wrote on Tue, Jan 31, 2017 at 11:44:31AM +0530:

> We have 5 security related fixes, however CVE # has been assigned
> to only 2 of them (CVE-2016-6210 and CVE-2015-8325).  Does that
> mean the other 3 are non security related fixes ?

No.  If it's marked as a security fix on the errata page,
for example http://www.openbsd.org/errata60.html ,
or if it's listed on https://www.openssh.com/security.html ,
then it's a security fix.

> When does a security fix qualify to be a assigned a CVE # ?

Never.  OpenBSD doesn't use the CVE process at all.

A CVE number has no meaning whatsoever.

If a CVE number is assigned to an OpenBSD or OpenSSH bug, then that
usually means that some third party requested it.  Sometimes that
happens, but usually it doesn't.  OpenBSD developers mostly ignore
the CVE process even in cases where some third party bothers to
request a CVE number.

If a CVE number was assigned, it is often listed, but not even that
is guaranteed.  And even if a CVE number is assigned, that doesn't
imply that it's security related.  Just as there are important
vulnerabilities without CVEs, there are CVEs that have no security
implications.

Do not report (suspected or confirmed) OpenSSH security issues
to any third party, not even to MITRE.  Please report them to
<openssh@xxxxxxxxxxx>, or if they are not security related, to
this list or to https://bugzilla.mindrot.org/ .

Yours,
  Ingo
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux