Security fixes for opensaml2 and xmltooling
Scott Cantor
cantor.2 at osu.edu
Wed Sep 23 03:22:08 UTC 2009
Russ Allbery wrote on 2009-09-22:
> Our experience in the OpenAFS project is that it's way easier to assign
> CVEs if you're one of the groups who has delegated authority over a block
> of CVE numbers and can just hand them out. When we obtained a CVE for an
> OpenAFS vulnerability as an independent project, it was a rather tedious
> process and it was hard to figure out who to ask for one. Debian has a
> block of CVE numbers and can easily assign them.
Ok, that sounds like what Daniel was probably trying to say.
> If you'd like, I'm happy to ask Debian to assign CVEs for
> Shibboleth-related things in the future, which you can then use for
> security announcements and so forth. Debian has to get a CVE assigned
> anyway for our security updates, so it's no additional work for the
> project as I understand it.
That sounds like a good idea, thanks.
> My GnuPG keys are available from keyservers
> and at http://www.eyrie.org/~eagle/personal/contact.html if you ever
> need to discuss security vulnerabilities confidentially in advance of a
> public announcement.
Are you on the shib-security-alert at internet2.edu list? I think not, but I
can add you. We use that for confidential pre-announcements to federation
contacts and people deemed necessary to make sure there's advance warning
about issues, impact, release schedules, etc. I circulate the draft
advisories there, typically.
Either you or whomever's appropriate from the Debian packaging effort could
be added to make sure there's communication ahead of time.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list