* Thomas Orgis: > Am Tue, 27 Sep 2016 10:27:04 +0100 > schrieb James Cowgill <jcowg...@debian.org>: > >> Does this have a CVE ID? If not it should get one. > > I wondered about that. At the moment I just acted on the bug report and > pushed the fix. I have to personal experience with the CVE procedure. > In the past, just "someone" made them appear. > > I tried to apply for a CVE using the horrific Google docs form > (http://iwantacve.org/) now. How can they resort to such a third-party > ECMAScript-fest instead of a simple HTML form for _security_ issue > reporting?!
This is the first time I have heard about that site. The official form is at: <https://cveform.mitre.org/> (It still uses Javascript.) But I'm not sure if this is in scope here because the web form requires you to confirm that the issue is not in a “CNA-covered product”. Debian is a CNA-covered product, mpg123 is part of Debian, so it is unclear what to do here. I'll ask around.
