CVE for recent Constant Hashtable Seeds issue? #739
Comments
|
@sam-github can speak to this in more detail but I know we had a hard time requesting one from MITRE and decided not to wait for it. |
|
I'll ping MITRE and see if they know anything. I'll let you know what I find. Thanks. |
|
@mhdawson went through the MITRE submission process weeks ago, and has not heard back from them. |
|
Greetings, did you send the request through https://cveform.mitre.org/? If so, when did you send that request? The last request we saw from @mhdawson was on 6/27, which we responded to. Thanks! -Dan, with the CVE Team |
|
I'll check when I submitted it but I submitted a follow up using the form as suggested in the initial response and was still waiting to hear back. |
|
Yes, if you can give us an idea of when to look, we will hunt it down and get it processed. We apologize for the delay on it. Thanks. |
|
From the internal issue I noted that I submitted the request for the CVE on the 27th of June using the form. I assume the one you say you responded to was the original question about how to submit ? |
|
@dadinolfi thanks for following up. I wonder if we could schedule a time to talk on the phone/hangout etc. It would be useful for me to have a better understanding of the overall process and our options for requesting CVEs so that we can document the process internally. |
|
Sure thing. Drop us an email at cve@mitre.org, and I'll follow up. |
|
I've talked to @dadinolfi to get a better understanding of the options for getting/handling CVE's and I have an email from Mitre with a number. So the ball is in my court to better understand the process and then provide the required description/data to Mitre. I'm out travelling the next week so that will slow me down a bit but it is high on my list of things to get done. |
|
@mhdawson Can you share the CVE ID, I have an updated node.js going out soon that includes this fix. Also, I'm happy to help you out with CVE issues. I've been doing it for a very long time and node.js having proper IDs makes my life easier. |
|
My understanding from my talk with Mitre is that the CVE should be given out at the same time that it is published by Mitre (or close). I know this is not always what happens, but I don't want to start out on the wrong foot as it was pretty clear that the desired case is not to give out the CVE in advance. @joshbressers we should b having a public discussion on how to handle CVE's going forward and it will be good to leverage your experience as part of that discussion. |
|
This advice doesn't quite sound right. There's no issue if you publish a CVE ID via an advisory before MITRE has it in their dataset. The idea is to make sure they have correct details quickly which can be done via cveform.mitre.org |
|
Ideally, the publishing of the information online about a CVE ID and the population of the CVE ID in the CVE List should happen about the same time. The information must be published somewhere (not the CVE List) before the CVE ID can be populated, though, so the References for the CVE ID should be live when you submit the request for populating the CVE ID entry. Josh is right. You can publicly reference the CVE ID before it is populated in the CVE List. But once you use it publicly, people will start looking at the CVE List for the details, and unless we have the information populated, they will only get a "reserved" CVE entry. This is why we are asking folks to give us the information we need to populate the CVE entry ASAP. The URL that Josh pointed to at the start of this thread is enough public information to populate the CVE ID. If you wanted to share the CVE ID with others, I suggest you submit a publication request to MITRE including that reference as described in Appendix B of the CNA Rules (even though you aren't a CNA yet). We can populate the entry at that point, and if you have updates, you can request those as you go along. Does that make sense? Thanks. |
|
I can submit the CVE ID (I have some to submit in the very near future) if that would be helpful (I know this can all be a bit confusing at first). |
|
@dadinolfi I had put together the content for a submission based on Appendix B yesterday and allowed for community review today. I have now have submitted the publication request through the web form. @joshbressers the CVE number was CVE-2017-11499. |
|
@joshbressers I opened an issue here nodejs/security-wg#33 to discuss how we should manage CVE's here would be great if you could comment with your thoughts. I'm going to close this issue as I think having close the loop on issuing the CVE this topic is closed. |
Apologies if this is covered somewhere else. I'm looking for a CVE ID for the Constant Hashtable Seeds issue here:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
Thanks in advance.
The text was updated successfully, but these errors were encountered: