How to track vulnerability fixes

Ingo Schwarze schwarze at usta.de
Sun Feb 5 03:36:23 AEDT 2017


Hi,

since nobody else answered:

Sandeep Umesh wrote on Tue, Jan 31, 2017 at 11:44:31AM +0530:

> We have 5 security related fixes, however CVE # has been assigned
> to only 2 of them (CVE-2016-6210 and CVE-2015-8325).  Does that
> mean the other 3 are non security related fixes ?

No.  If it's marked as a security fix on the errata page,
for example http://www.openbsd.org/errata60.html ,
or if it's listed on https://www.openssh.com/security.html ,
then it's a security fix.

> When does a security fix qualify to be a assigned a CVE # ?

Never.  OpenBSD doesn't use the CVE process at all.

A CVE number has no meaning whatsoever.

If a CVE number is assigned to an OpenBSD or OpenSSH bug, then that
usually means that some third party requested it.  Sometimes that
happens, but usually it doesn't.  OpenBSD developers mostly ignore
the CVE process even in cases where some third party bothers to
request a CVE number.

If a CVE number was assigned, it is often listed, but not even that
is guaranteed.  And even if a CVE number is assigned, that doesn't
imply that it's security related.  Just as there are important
vulnerabilities without CVEs, there are CVEs that have no security
implications.

Do not report (suspected or confirmed) OpenSSH security issues
to any third party, not even to MITRE.  Please report them to
<openssh at openssh.com>, or if they are not security related, to
this list or to https://bugzilla.mindrot.org/ .

Yours,
  Ingo


More information about the openssh-unix-dev mailing list