[EXT] VLC issue

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

[EXT] VLC issue

Art Manion
CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: [EXT] VLC issue

Coffin, Chris
Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: [External] RE: [EXT] VLC issue

Beverly Miller
Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|

Re: [External] RE: [EXT] VLC issue

Kurt Seifried-2
They haven't asked?

On Wed, Jul 24, 2019 at 11:47 AM Beverly Miller Alvarez <[hidden email]> wrote:
Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art


--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [External] RE: [EXT] VLC issue

Kurt Seifried-2
Also there's some open source here that the EU and the world in general cares about:


that should probably be made CNAs (the ones covered are some 1 person projects as I understand it, so they may not be able to be/want to be a CNA, but some sort of parent that could cover them would be good). 

On Wed, Jul 24, 2019 at 11:54 AM Kurt Seifried <[hidden email]> wrote:
They haven't asked?

On Wed, Jul 24, 2019 at 11:47 AM Beverly Miller Alvarez <[hidden email]> wrote:
Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art


--
Kurt Seifried
[hidden email]


--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [External] RE: [EXT] VLC issue

Beverly Miller

I thought I read they had asked Mitre how they could manage their own CVEs…whether they actually did/didn’t, I can’t know.

 

 

***See the latest Security Advisory updates here***


Beverly Miller Alvarez
Principal Program Manager
Product Security Office

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/Email%20Gifs/T.gif919-294-5873
[hidden email]

 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/ImageLogo-YOGAFeathers.gif

 

 

From: Kurt Seifried <[hidden email]>
Sent: Wednesday, July 24, 2019 1:58 PM
To: Beverly Miller Alvarez <[hidden email]>
Cc: Coffin, Chris <[hidden email]>; Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [External] RE: [EXT] VLC issue

 

Also there's some open source here that the EU and the world in general cares about:

 

 

that should probably be made CNAs (the ones covered are some 1 person projects as I understand it, so they may not be able to be/want to be a CNA, but some sort of parent that could cover them would be good). 

 

On Wed, Jul 24, 2019 at 11:54 AM Kurt Seifried <[hidden email]> wrote:

They haven't asked?

 

On Wed, Jul 24, 2019 at 11:47 AM Beverly Miller Alvarez <[hidden email]> wrote:

Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art


 

--

Kurt Seifried
[hidden email]


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [External] RE: [EXT] VLC issue

Evans, Jonathan L.

https://twitter.com/videolan/status/1153965981536010240

 

It looks like they asked NVD instead of MITRE.  Kurt explained that NVD isn’t the one to contact: https://twitter.com/kurtseifried/status/1154081480848506880.

 

 

-

Jonathan

 

From: Beverly Miller Alvarez <[hidden email]>
Sent: Wednesday, July 24, 2019 2:34 PM
To: Seifried, Kurt <[hidden email]>
Cc: Coffin, Chris <[hidden email]>; Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: RE: [External] RE: [EXT] VLC issue

 

I thought I read they had asked Mitre how they could manage their own CVEs…whether they actually did/didn’t, I can’t know.

 

 

***See the latest Security Advisory updates here***


Beverly Miller Alvarez
Principal Program Manager
Product Security Office

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/Email%20Gifs/T.gif919-294-5873
[hidden email]

 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/ImageLogo-YOGAFeathers.gif

 

 

From: Kurt Seifried <[hidden email]>
Sent: Wednesday, July 24, 2019 1:58 PM
To: Beverly Miller Alvarez <[hidden email]>
Cc: Coffin, Chris <[hidden email]>; Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [External] RE: [EXT] VLC issue

 

Also there's some open source here that the EU and the world in general cares about:

 

 

that should probably be made CNAs (the ones covered are some 1 person projects as I understand it, so they may not be able to be/want to be a CNA, but some sort of parent that could cover them would be good). 

 

On Wed, Jul 24, 2019 at 11:54 AM Kurt Seifried <[hidden email]> wrote:

They haven't asked?

 

On Wed, Jul 24, 2019 at 11:47 AM Beverly Miller Alvarez <[hidden email]> wrote:

Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art


 

--

Kurt Seifried
[hidden email]


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] RE: [EXT] VLC issue

Kurt Seifried-2
They blocked me on twitter, so I'm out of this specific issue (they aren't very nicely behaved people, I don't want to deal with them). 

On Wed, Jul 24, 2019 at 12:53 PM Evans, Jonathan L. <[hidden email]> wrote:

https://twitter.com/videolan/status/1153965981536010240

 

It looks like they asked NVD instead of MITRE.  Kurt explained that NVD isn’t the one to contact: https://twitter.com/kurtseifried/status/1154081480848506880.

 

 

-

Jonathan

 

From: Beverly Miller Alvarez <[hidden email]>
Sent: Wednesday, July 24, 2019 2:34 PM
To: Seifried, Kurt <[hidden email]>
Cc: Coffin, Chris <[hidden email]>; Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: RE: [External] RE: [EXT] VLC issue

 

I thought I read they had asked Mitre how they could manage their own CVEs…whether they actually did/didn’t, I can’t know.

 

 

***See the latest Security Advisory updates here***


Beverly Miller Alvarez
Principal Program Manager
Product Security Office

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/Email%20Gifs/T.gif919-294-5873
[hidden email]

 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/ImageLogo-YOGAFeathers.gif

 

 

From: Kurt Seifried <[hidden email]>
Sent: Wednesday, July 24, 2019 1:58 PM
To: Beverly Miller Alvarez <[hidden email]>
Cc: Coffin, Chris <[hidden email]>; Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [External] RE: [EXT] VLC issue

 

Also there's some open source here that the EU and the world in general cares about:

 

 

that should probably be made CNAs (the ones covered are some 1 person projects as I understand it, so they may not be able to be/want to be a CNA, but some sort of parent that could cover them would be good). 

 

On Wed, Jul 24, 2019 at 11:54 AM Kurt Seifried <[hidden email]> wrote:

They haven't asked?

 

On Wed, Jul 24, 2019 at 11:47 AM Beverly Miller Alvarez <[hidden email]> wrote:

Is there any reason they are not a CNA?



***See the latest Security Advisory updates here***

Beverly Miller Alvarez
Principal Program Manager
Product Security Office
919-294-5873
[hidden email]
 

Lenovo.com 
Twitter | Instagram | Facebook | Linkedin | YouTube | Privacy 






-----Original Message-----
From: Coffin, Chris <[hidden email]>
Sent: Wednesday, July 24, 2019 12:44 PM
To: Manion, Art <[hidden email]>; CVE Editorial Board Discussion <[hidden email]>
Subject: [External] RE: [EXT] VLC issue

Art,

The note statement was added by the CVE team earlier today based on the information we have right now. It's in Github and should show up on the web site in the next few minutes. We are planning to reach out to VLC to see if they feel other changes need to be made (e.g., dispute the entry).

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Wednesday, July 24, 2019 11:30 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: [EXT] VLC issue

CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:

https://twitter.com/videolan/status/1153963312981389312

The larger issues go beyond the CVE project.  But in scope for CVE:

1. Mark CVE-2019-13615 as disputed?

2. Modify description to point to libebml instead of VLC?  NVD has added a note:

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

"NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC."

3. Seems like VLC is not a CNA?

https://twitter.com/videolan/status/1153965981536010240

4. As someone in favor of faster assignments, here's an example of loss of quality.  Which I accept, but quality should be noted as low (at least with the disputed flag) and improved as more information becomes available.

Regards,

 - Art


 

--

Kurt Seifried
[hidden email]


 

--

Kurt Seifried
[hidden email]



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] VLC issue

Art Manion
In reply to this post by Art Manion
On 7/24/19 12:30 PM, Art Manion wrote:
> CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:
>
> https://twitter.com/videolan/status/1153963312981389312

Some further discussion on Twitter:

https://twitter.com/WeldPond/status/1154471192851550208

Lack of CVE for the libebml vulnerability was a major factor, and an offer from WeldPond to talk about data/help CVE, which we should engage him on.

  - Art


Reply | Threaded
Open this post in threaded view
|

Re: [EXT] VLC issue

Kurt Seifried-2
Does anyone know when vlc asked to be a CNA? They were never sent to the DWF so I assume this may have been a long time ago?

On Thu, Jul 25, 2019 at 1:32 PM Art Manion <[hidden email]> wrote:
On 7/24/19 12:30 PM, Art Manion wrote:
> CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:
>
> https://twitter.com/videolan/status/1153963312981389312

Some further discussion on Twitter:

https://twitter.com/WeldPond/status/1154471192851550208

Lack of CVE for the libebml vulnerability was a major factor, and an offer from WeldPond to talk about data/help CVE, which we should engage him on.

  - Art




--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXT] VLC issue

Bazar, Jo E.

Hi Kurt, Jonathan and I checked our records, and we do not see a request from VLC to become a CNA. Our records go back a few years.  

 

Respectfully,

 

Jo Bazar

CVE Team

[hidden email]

703-983-3699

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, July 25, 2019 4:51 PM
To: Manion, Art <[hidden email]>
Cc: CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [EXT] VLC issue

 

Does anyone know when vlc asked to be a CNA? They were never sent to the DWF so I assume this may have been a long time ago?

 

On Thu, Jul 25, 2019 at 1:32 PM Art Manion <[hidden email]> wrote:

On 7/24/19 12:30 PM, Art Manion wrote:
> CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:
>
> https://twitter.com/videolan/status/1153963312981389312

Some further discussion on Twitter:

https://twitter.com/WeldPond/status/1154471192851550208

Lack of CVE for the libebml vulnerability was a major factor, and an offer from WeldPond to talk about data/help CVE, which we should engage him on.

  - Art


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXT] VLC issue

Coffin, Chris
In reply to this post by Art Manion
Art,

Note that the CVE description was updated based on the most recent information provided by VLC and the Ubuntu advisory.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13615.

> an offer from WeldPond to talk about data/help CVE, which we should engage him on.
Agreed.

Chris

-----Original Message-----
From: Art Manion <[hidden email]>
Sent: Thursday, July 25, 2019 2:32 PM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [EXT] VLC issue

On 7/24/19 12:30 PM, Art Manion wrote:
> CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:
>
> https://twitter.com/videolan/status/1153963312981389312

Some further discussion on Twitter:

https://twitter.com/WeldPond/status/1154471192851550208

Lack of CVE for the libebml vulnerability was a major factor, and an offer from WeldPond to talk about data/help CVE, which we should engage him on.

  - Art


Reply | Threaded
Open this post in threaded view
|

RE: [EXT] VLC issue

Coffin, Chris
In reply to this post by Bazar, Jo E.

Kurt,

 

Didn’t they say they contacted NIST to be a CNA at some point.

 

Dave: Does NIST have any record of this?

 

Chris

 

From: Bazar, Jo E. <[hidden email]>
Sent: Thursday, July 25, 2019 4:31 PM
To: Seifried, Kurt <[hidden email]>; Manion, Art <[hidden email]>
Cc: CVE Editorial Board Discussion <[hidden email]>
Subject: RE: [EXT] VLC issue

 

Hi Kurt, Jonathan and I checked our records, and we do not see a request from VLC to become a CNA. Our records go back a few years.  

 

Respectfully,

 

Jo Bazar

CVE Team

[hidden email]

703-983-3699

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, July 25, 2019 4:51 PM
To: Manion, Art <[hidden email]>
Cc: CVE Editorial Board Discussion <[hidden email]>
Subject: Re: [EXT] VLC issue

 

Does anyone know when vlc asked to be a CNA? They were never sent to the DWF so I assume this may have been a long time ago?

 

On Thu, Jul 25, 2019 at 1:32 PM Art Manion <[hidden email]> wrote:

On 7/24/19 12:30 PM, Art Manion wrote:
> CVE (using MITRE's corporate twitter handle @MITRECorp) getting some criticism in this thread:
>
> https://twitter.com/videolan/status/1153963312981389312

Some further discussion on Twitter:

https://twitter.com/WeldPond/status/1154471192851550208

Lack of CVE for the libebml vulnerability was a major factor, and an offer from WeldPond to talk about data/help CVE, which we should engage him on.

  - Art


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [EXT] VLC issue

Art Manion
In reply to this post by Coffin, Chris
On 7/25/19 5:36 PM, Coffin, Chris wrote:

> Note that the CVE description was updated based on the most recent information provided by VLC and the Ubuntu advisory.
>
> See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13615.

ACK and good.  I'm not raising these issues to criticize the root CNA's performance, which I consider to be completely reasonable (good in fact).  I'm noting that the lack of a CVE ID for the libebml vulnerability was a major factor in the downstream mess, including that Ubuntu 18.x didn't address the vulnerability.  This is a call for more CVE IDs, which cannot fall on the root CNA to handle, but instead should land on software developers/vendors/maintainers.  If you fix vulns issue CVE IDs.

  - Art
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] VLC issue

Tod Beardsley
" If you fix vulns issue CVE IDs"

Put this on a T-shirt plz.

On Thu, Jul 25, 2019 at 4:49 PM Art Manion <[hidden email]> wrote:
On 7/25/19 5:36 PM, Coffin, Chris wrote:

> Note that the CVE description was updated based on the most recent information provided by VLC and the Ubuntu advisory.
>
> See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13615.

ACK and good.  I'm not raising these issues to criticize the root CNA's performance, which I consider to be completely reasonable (good in fact).  I'm noting that the lack of a CVE ID for the libebml vulnerability was a major factor in the downstream mess, including that Ubuntu 18.x didn't address the vulnerability.  This is a call for more CVE IDs, which cannot fall on the root CNA to handle, but instead should land on software developers/vendors/maintainers.  If you fix vulns issue CVE IDs.

  - Art


--
"Tod Beardsley"
Director of Research
+1-512-438-9165 | https://keybase.io/todb

NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, and employees is paramount. If you received this email in error, please notify the sender and delete it from your inbox right away. Learn how Rapid7 handles privacy at rapid7.com/privacy-policy. To opt-out of Rapid7 marketing emails, please click here or email [hidden email].