On 07/22/2013 06:30 AM, Tim Retout wrote: > Indeed, in hindsight that would have been better. :( Apologies. > > What really annoys me about this is that other distros do use the real > Data::UUID, but I struggled to get a CVE filed - how on earth does one go > about it?
For free software (like Data::UUID) you'd want to request it on [email protected]. Kurt Seifried <[email protected]> monitors that list and can assign CVEs. Kurt likes free software CVE requests to contain pointers to explicit bug reports, relevant sections of code, revision control commits (if any exist) which introduce or fix the bug, and a clear and concise explanation of the vulnerability. He issues about a thousand of these things a year (on top of his other work), and is responsible for making sure that duplicates aren't issued, etc, so any steps that make it simpler/easier for him to understand the issue clearly are worth taking. If you're having trouble getting a CVE from Kurt via that list, please write me off-list and i can try to help you draft something acceptable. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
