[Freedombox-discuss] secure UUIDs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 22 15:18:59 UTC 2013


On 07/22/2013 06:30 AM, Tim Retout wrote:
> Indeed, in hindsight that would have been better.  :( Apologies.
> 
> What really annoys me about this is that other distros do use the real
> Data::UUID, but I struggled to get a CVE filed - how on earth does one go
> about it?

For free software (like Data::UUID) you'd want to request it on
oss-security at lists.openwall.com.  Kurt Seifried <kseifried at redhat.com>
monitors that list and can assign CVEs.

Kurt likes free software CVE requests to contain pointers to explicit
bug reports, relevant sections of code, revision control commits  (if
any exist) which introduce or fix the bug, and a clear and concise
explanation of the vulnerability.  He issues about a thousand of these
things a year (on top of his other work), and is responsible for making
sure that duplicates aren't issued, etc, so any steps that make it
simpler/easier for him to understand the issue clearly are worth taking.

If you're having trouble getting a CVE from Kurt via that list, please
write me off-list and i can try to help you draft something acceptable.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/427152f7/attachment.sig>


More information about the Freedombox-discuss mailing list