[VIM] 267 Missing CVE in Jan, 2013 - please assign

Kurt Seifried kseifried at redhat.com
Wed Mar 20 14:03:13 CDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/20/2013 12:31 PM, Brian Martin wrote:
> 
> OSVDB has currently 757 vulnerabilities for Jan 2013. Of these, 267
> do not have CVE identifiers.
> 
> For your convenience, you can use the following URL to quickly
> list them, along with the OSVDB ID. Please feel free to use our
> references and don't hesitate to ask questions!
> 
> http://direct.osvdb.org/search/search?search%5Bvuln_title%5D=&search%5Btext_type%5D=titles&search%5Bs_date%5D=2012-12-31&search%5Be_date%5D=2013-02-01&search%5Brefid%5D=&search%5Breferencetypes%5D=%21CVEID&search%5Bvendors%5D=&search%5Bcvss_score_from%5D=&search%5Bcvss_score_to%5D=&search%5Bcvss_av%5D=*&search%5Bcvss_ac%5D=*&search%5Bcvss_a%5D=*&search%5Bcvss_ci%5D=*&search%5Bcvss_ii%5D=*&search%5Bcvss_ai%5D=*&kthx=search
>
> 
> 
> or
> 
> http://preview.tinyurl.com/2013-01-missing-cve
> 
> Thanks!
> 
> Brian OSVDB.org

Apologies if the following questions have been asked/answered before,
I've only been on the VIM list for a few days now. I appreciate what
osvdb does, it's a thankless task and a ton of work. However I have
some concerns:

How have you confirmed that no cve is assigned? E.g. a quick look and
I see at least one for which I assigned CVEs publicly:

http://direct.osvdb.org/show/osvdb/89328
Piwik Multiple Unspecified XSS
http://piwik.org/blog/2013/01/piwik-1-10/

I assigned the CVEs here:
http://www.openwall.com/lists/oss-security/2013/01/17/15

based on the same url as you
(http://piwik.org/blog/2013/01/piwik-1-10/). So I can't simply use
this list to assign CVE's for the Open Source stuff since it is
incorrect (e.g. stuff for which you say no CVE is assigned do have
CVE's assigned). I also don't have the time to confirm a CVE was not
assigned through some other method (e.g. via Mitre/etc.).

Also for the vendor stuff like Apple/Adobe/Google where that vendor is
a CNA have you reached out to them to confirm no CVE is assigned
and/or get a CVE assigned as needed?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRSgfxAAoJEBYNRVNeJnmTKEsQAL0gnHzagD3GBNNmi5IuZ0+c
DhNpVxChOZYrUQrsYw/yXIPm4L+0lxLTJYrGw6U3328mkvsRbruJd7tdS73cx7Vw
y4kfhghSaLaP+ro22TxgF/0k6wlBiesmJCmLxP3LCjzocYZaC5Py6R1xu4Yyc5oT
cG4HX+Bnc9SSThGDhZMb7h5mMEJX2mkZ/d84CcGw7kpSFqb5XS92A/wwkyphbth5
Oe8Gmqk4QN8iwS9D27vkd2BvIZIi1+2KlKg4t3QY3OsRQO3arlITTsEQ2ii+59up
5/7GFPACFCm5Orw2v1mRSfm9suHklulQC3Z7pxblQKvlGhLxXii1JoC1ooFDkVnv
3j1QGnw10NSRHYrFO5krRAGqyiEZcXG687a9tSwLoUnfmFA6SW/p3+6NAEjwAG1X
I/j/X8ADzfG6uCPDmlBvSLOYuEkzNK4eNjH8EOMXyi0CSpg/WRZ5nI8f4ESLRJxK
72ISLGMcwbJEGcnTIN5jt//AVWMm0uPhNNj24zjvx0LKboTzQZ1EyNetuap2oaId
9A+D6u08u43aZhI2TvAkcguB8wt0y3PFiUN9JcSB04DMzxQYan1wdvRNwZ1gPvEv
vUDs99+c5ALXdVvhCmyDrD0d6LuWM5wnVpubUJHU6f2CVwQlEq3Kdr9AJpnBi63h
vluicggksk2YRQqRz8u0
=LMZ5
-----END PGP SIGNATURE-----

More information about the VIM mailing list