jive
September 20, 2023, 1:39am
1
Follow up to this week’s meeting.
As research for GSIP-220 I have made second attempt to update CVE-2023-35042 via a pull request to GitHub advisory database.
As part of the pull-request review the following were updated:
CVE-2023-35042
And although I cannot quite tell what was changed the original jai-ext one was updated also:
CVE-2022-24816
The process was much more positive/successful then the attempt at working via MITRE.
···
–
Jody Garnett
Op 20-09-2023 om 03:39 schreef Jody Garnett:
Follow up to this week's meeting.
As research for GSIP-220 I have made second attempt to update CVE-2023-35042 via a pull request <https://github.com/github/advisory-database/pull/2721> ; to GitHub advisory database.
As part of the pull-request review the following were updated:
CVE-2023-35042
* https://github.com/advisories/GHSA-59x6-g4jr-4hxc
<https://github.com/advisories/GHSA-59x6-g4jr-4hxc> ;
And although I cannot quite tell what was changed the original jai-ext one was updated also:
CVE-2022-24816
* https://github.com/advisories/GHSA-v92f-jx6p-73rx
<https://github.com/advisories/GHSA-v92f-jx6p-73rx> ;
The process was much more positive/successful then the attempt at working via MITRE.
The problem is that these changes don't propagate "up"'; unless GH is the CNA (CVE Numbering Authority == assigner of the CVE) the changes are on the GH side only and not in the MITRE database (https://www.cve.org/CVERecord?id=CVE-2023-35042 ) or the widely used NVD data/api's (https://nvd.nist.gov/vuln/detail/CVE-2023-35042 )
I know the pain of trying to work with Mitre (and Sonatype as well) and unresponsive reporters; it's very discouraging at best.
Mark
jive
September 20, 2023, 2:53pm
3
Indeed,
I am not sure about working with MITRE after our initial poor experience. Maybe if we can push up a link to the project issue or something which we control?
Still the goal of GSIP-220 proposal is to use the GitHub security advisory database to request new CVE numbers. I think it is a worthwhile step for managing known issues and improving interactions.
Jody
On Wed, Sep 20, 2023 at 5:29 AM mark <mc.prins@anonymised.com > wrote:
Op 20-09-2023 om 03:39 schreef Jody Garnett:
Follow up to this week’s meeting.
As research for GSIP-220 I have made second attempt to update
CVE-2023-35042 via a pull request
<https://github.com/github/advisory-database/pull/2721 > to GitHub
advisory database.
As part of the pull-request review the following were updated:
CVE-2023-35042
And although I cannot quite tell what was changed the original jai-ext
one was updated also:
CVE-2022-24816
The process was much more positive/successful then the attempt at
working via MITRE.
The problem is that these changes don’t propagate “up”'; unless GH is
the CNA (CVE Numbering Authority == assigner of the CVE) the changes are
on the GH side only and not in the MITRE database
(https://www.cve.org/CVERecord?id=CVE-2023-35042 ) or the widely used NVD
data/api’s (https://nvd.nist.gov/vuln/detail/CVE-2023-35042 )
I know the pain of trying to work with Mitre (and Sonatype as well) and
unresponsive reporters; it’s very discouraging at best.
Mark
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel