A few questions about cve.mitre.org
Josh Bressers
bressers at redhat.com
Mon Apr 24 11:06:09 UTC 2006
>
> There is something I've always wondered... How do CVE items in
> CVE's database have their status changed? In my time of working with
> vulnerabilities, I have only seen a few items graduate from
> Status="Candidate" to Status="..." (is it "Confirmed"?).
This along with much other information is covered here:
http://cve.mitre.org/about/
> Another question. How does one submit information or corrections
> to the cve.mitre.org folks?
You can mail cve at mitre.org with your corrections. Please keep in mind that
they are swamped with the volume of security issues, so your correction
will take some time.
> Also -- What makes the CVE maintainers notice a given advisory and
> maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned
> in CVE-2006-0058's references is referring to an obsolete advisory, as
> Legacy had to re-release sendmail with an updated advisory.
>
> * The original Legacy advisory for this issue is at
> <http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded>
> (also at <http://www.securityfocus.com/archive/1/428656/100/0/threaded>)
>
> * The updated Legacy advisory is at
> <http://www.securityfocus.com/archive/1/430308/100/300/threaded>
>
> Do we need to renumber the advisory so it will get attention by the CVE
> folks? Or make a special effort to send mail to the CVE people letting
> them know that the reference in CVE-2006-0058 needs updating? If so, who
> do we write?
You can mail them telling them where the new advisory is (once again
though, this will take time to be updated as this would be a low priority
task). This is one of the problems with using a mailing list to publish
your advisories. Once it's published, it's read only.
--
JB
More information about the Fedora-security-list
mailing list