Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2013 06:59 PM, Simo Sorce wrote:
> On Fri, 2013-08-09 at 23:30 +0200, Chmouel Boudjnah wrote:
>> I am not sure how the process works for cve, but should we wait
>> for the fix being merged first?
> 
> No, CVEs are assigned (anonymously) at the moment the issues is 
> recognized as being a security issue. No details are disclosed at
> the moment the CVE Number is assigned.

This is not entirely true, I sometimes request additional details in
order to do CVE SPLIT/MERGE correctly
(http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html).
However I don't use any information I get for things like
pre-patching/etc (basically I hold off until the official
pre-notification goes out on distros).

> Embargo dates are usually agreed upon and any detail is published
> only when the embargo is lifted.
> 
> Simo.
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSBchSAAoJEBYNRVNeJnmT6JoQALqh/mv4P8E+pkaiuOK+tpY4
Vzzn0JirAf+psOr/k0/dxw5Njdv9w8Y6rv7wrmA3oXGu8iU5fwXP7BGCBVIK7rWd
omt79ISzfhVQOe9K8rv3QPHdUQ2wHDN1+v+BdG1SaXGmbqR62R0QUvrV5B7f8qIc
ZbXwdI4d2KLV5YpWq6deQk2Y/cVV9o61r25ydhBl6U41bgqhpcKjRknl1b19I6Wo
vZkBzc3aPEL7wU4HAqwVI/2C2CdD9y9Xphlfb8Ab4GiX9+eRZ9lpu47jxqjhvhbF
lDak9l/MXVZA5cOufOBrN2Nhug6zhPpnStF1WPaU4dfnjoXs+zakYLjhfdyPOtND
mCo1G/A8wv3JRckzjzO/10dUYGE7BEssA8ROwFDhXbkUScxjMNeLHewHURpAVEYh
gXfbPrcMuvma/6j6vay9nTR3VhfRory0sFvPlD8cccmqwKwRYhEcBOkcEEKs2SZJ
A9GvqyLORQsP0BOE7kC+4EJTJl+aypgOZ5HdvaO+Pmoab8zk9H6ndPGGKCleQPsx
qf3Y4nvpSe1IuFnDTLNCadd858Tv1hvYsanAfVCPuzziGxMQLjxzG1JtDOYCjQan
fu8V51sq+1D3FhfUwWXX1q+Rdt+oI2XjuTnE68QNOqtdY13aqQpbubTo2S2+yPF8
i8tR6LBa7JjM1PxXbpeu
=roIo
-----END PGP SIGNATURE-----