Florian,
The question is about who is scoring and a level of their knowledge and
understanding. Assuming that each is using CVSS v3.1 then the question is
does the scoring entity look at how the component is built and used or are
they scoring for every eventuality and device across all time (and
Johannes,
If that community does not have a CNA with it in their scope, it is open
for assignment.Sometimes it is easier to have a Root CNA assign for
that under the CVE Services. Just note that as the CNA, everyone can /
should come back to you for the updates and the CNA vulnrichment will co
On Sat, Jan 25, 2025 at 01:24:36AM +, Mark Esler wrote:
> On Wed, Jan 22, 2025 at 03:18:10PM +0100, Johannes Segitz wrote:
> > We're not empowered to do this. We are a CNA for code that we own (e.g.
> > zypper), but not for arbitrary open source projects.
>
> The text of SUSE's scope [0] is si
This is fine but it is much better if oss-security can process our CSAF
machine readable documents.
I'd be willing to have emails sent to you with a CSAF attachment or CSAF
attachments sent via some other agreed mechanism if you like.
Bruce
-
On 1/24/25 6:17 PM, Solar Designer wrote:
On
Severity: low
Affected versions:
- Apache Cocoon: all versions
Description:
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random
Number Generator (PRNG) vulnerability in Apache Cocoon.
This issue affects Apache Cocoon: all versions.
When a continuation is created, it get
