From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 0C2843858D34 for ; Thu, 2 May 2024 02:12:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0C2843858D34 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0C2843858D34 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714615932; cv=none; b=it3B2gd4KppCZr4l9urgBIhvQiXRITgPiqjHLpFcrXQK43DR7mGFEx3nVvfSklkaYBOkiPSzf1Ob83PEcoLx6Gc0BpWcavnkw8afdAxUbDOipmmo3a+M9EiosS7roxlAeaTRFR86h2bBTlEtZVOhXPHXYM+nWxWROQU5JjT7rZ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714615932; c=relaxed/simple; bh=y2gPA55Mr16ejTR33dXHS3hDRbbQWuniW+lB3S233dk=; h=DKIM-Signature:Message-ID:Date:MIME-Version:To:From:Subject; b=p6ln1tXSnre6BTBaUM78WJsjOB0inZKCeIYrmTqnnYiW6RzQ98XcwlXI2z3jRHZeEsgPFQiMWaq3TuL2dA8qAUC+CIcf+NZg1eWXymiMHzF7jTrk5LYsO+eIGAofZNuD9tuJhHIAsYO+fpLeqGcGVwVDIXS9HzjaCxvFUCxX9AE= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714615930; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:autocrypt:autocrypt; bh=zQ6UWoLEMedQjqu5hmYyIj2szqKTo3VfWdSonu38JcM=; b=LBL7pGBRI8Pz57bw0S+eN1Zik/sf02Sz5pVmrdm11kee7E2Y/jbBpFtoZyiHJNbQ5rAQc4 r24NYUxbc1B3nm1y4R85VYUURhV/RHN1YQiZaf750EkzaFjDu3ZnY++vvBjkSjOXm4xiT0 k98+cba0JBl+xKcWh2oExX+twr+JRjE= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-635-x61AkjXOMEihT4esz1_XEA-1; Wed, 01 May 2024 22:12:09 -0400 X-MC-Unique: x61AkjXOMEihT4esz1_XEA-1 Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-43980ddd950so100967031cf.3 for ; Wed, 01 May 2024 19:12:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714615929; x=1715220729; h=content-transfer-encoding:organization:autocrypt:subject:from:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zQ6UWoLEMedQjqu5hmYyIj2szqKTo3VfWdSonu38JcM=; b=q3NtGgaiMkKkVevOW0TmFgSix0dFRkylfGDHP+e4BhSicdypCJw67iexXTAxb8Oymt OQmN2S5n1x/saQ6U9o1/vaZbXpiI0kgHY+sHgu64ORZt3xd2MWfc2aO+OuNZ6k2GKr8i s9u5yUUfoimQJX2IXkQTcDDFzsu4kFmmA1UL1QowirL0ONys2i8SpglRa9cYUkqqpEFO 1CLsdjtFY8mzyrnc06JqwWMmipJzpMB6+OLM9+T8m1jnqazznVOPC7pUr+emWN9hQA9j dK5su6wc5hD7GKwlPat13Ta/dO+JUNLRPPm0bPU5tsjVVm61TyfZC60mvEEqEnmsu+/c RaOQ== X-Gm-Message-State: AOJu0Yz/kLW0PXDQJPFxJz4/R/09yOdClnRsfFCLm3Zg0VOVd/wWNXhP QJqZHOvfo/9psTiiy2myeAiWDL8UbtvhPQjmb+VGzObLoV4sZ4aDxhaNnCJGzezXiRX3WcHFABd EMKHm1fc/KBRczaFzKQq+byvoJ0Jn+8c8Ifd22MFGqMNtU0/+6MIBQVzh2tKklamVpXciAJ90BT qGzz1jX6N6Dc3+jNm+GULIDBh+n/v0zZ0QvDdWAWg= X-Received: by 2002:ac8:7f03:0:b0:439:bb04:f3b8 with SMTP id f3-20020ac87f03000000b00439bb04f3b8mr4551517qtk.65.1714615928814; Wed, 01 May 2024 19:12:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEzR3hWKl0iBQdvzFY5Z2vuFa4FMuNig0K2kpoWYB/ReBYSmFNvt0RRP7j5sHpmkfSfkpLZRg== X-Received: by 2002:ac8:7f03:0:b0:439:bb04:f3b8 with SMTP id f3-20020ac87f03000000b00439bb04f3b8mr4551490qtk.65.1714615928045; Wed, 01 May 2024 19:12:08 -0700 (PDT) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id y16-20020a37e310000000b0078d5fdc929fsm12770361qki.104.2024.05.01.19.12.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 01 May 2024 19:12:07 -0700 (PDT) Message-ID: Date: Wed, 1 May 2024 22:12:06 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: libc-alpha , Siddhesh Poyarekar , Adhemerval Zanella From: Carlos O'Donell Subject: What is our SLA for going from reserved CVE to published CVE? Autocrypt: addr=carlos@redhat.com; keydata= xsFNBFef5BoBEACvJ15QMMZh4stKHbz0rs78XsOdxuug37dumTx6ngrDCwZ61k7nHQ+uxLuo QvLSc6YJGBEfiNFbs1hvhRFNR7xJbzRYmin7kJZZ/06fH2cgTkQhN0mRBP8KsKKT+7SvvBL7 85ZfAhArWf5m5Tl0CktZ8yoG8g9dM4SgdvdSdzZUaWBVHc6TjdAb9YEQ1/jpyfHsQp+PWLuQ ZI8nZUm+I3IBDLkbbuJVQklKzpT1b8yxVSsHCyIPFRqDDUjPL5G4WnUVy529OzfrciBvHdxG sYYDV8FX7fv6V/S3eL6qmZbObivIbLD2NbeDqw6vNpr+aehEwgwNbMVuVfH1PVHJV8Qkgxg4 PqPgQC7GbIhxxYroGbLJCQ41j25M+oqCO/XW/FUu/9x0vY5w0RsZFhlmSP5lBDcaiy3SUgp3 MSTePGuxpPlLVMePxKvabSS7EErLKlrAEmDgnUYYdPqGCefA+5N9Rn2JPfP7SoQEp2pHhEyM 6Xg9x7TJ+JNuDowQCgwussmeDt2ZUeMl3s1f6/XePfTd3l8c8Yn5Fc8reRa28dFANU6oXiZf 7/h3iQXPg81BsLMJK3aA/nyajRrNxL8dHIx7BjKX0/gxpOozlUHZHl73KhAvrBRaqLrr2tIP LkKrf3d7wdz4llg4NAGIU4ERdTTne1QAwS6x2tNa9GO9tXGPawARAQABzSpDYXJsb3MgTydE b25lbGwgKFdvcmspIDxjYXJsb3NAcmVkaGF0LmNvbT7CwZUEEwEIAD8CGwMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAFiEEcnNUKzmWLfeymZMUFnkrTqJTQPgFAmStkMYFCQ8AA6UACgkQ FnkrTqJTQPjRTxAAnKmRztRqcP4bgMeweR3rMxDEtwQhciDybB7RgBeuZHCbY6Hmqx2so4gH 2rG9EoBJM1RZKyqztVJ2WbGPzEb4ZAW/AjmttIoN1tSdACGBbd8kPNUzJd+QsCiWGNtyaJw6 /HTLj9JRdGN16b+DzUJxww3gYZYTTkhSNUVjcrw7hzXU0Zb3z9/evXv26SDbNCqSfhAm7tNE 8ceH9H8dTcalNUPJO7bgXRhXORj9OciJrMnpPs6P4U5f/IkcVSZS1t+6R0KPWeEUXGlegTFK F1cKsSoil8mYajqAheuqbjtPHPh55dHTbG35ngjNSZyiM54PdMW5SR6zog3RAlYnuPg09g21 n9Y/ihuEZZve57Gp5wHUwNE+RKRByLlRF3Zezz6jKfjLyHqJYK8d8+vuFO1vca5OfxCEf33Y 8pLhARmHXG6mzRdji1e7Ugob2OQbvM1XWkInA+NyGeqLlE7ZnzVME5kmYVa/+qjdoqEgAqKz EdcknAZ0uud8xuAqven5X17+bBY16RZHOysOcBiGGC2E1A8Xni8cO+vH6NTCjK+OAk7UXgWB +9MFvsi7WHDJAjVlpOwuRYDWjZ8o8HhkByMAhPEzjySR9G1bzHKNOVQNFpHPTP8a5LJR6nX/ QdjKAC0bOR1TxNeK6T0h+E0iPnwWIJ6ezimzwdRl0oCbj02giyPOwU0EV5/kGgEQAKvTJke+ QSjATmz11ALKle/SSEpUwL5QOpt3xomEATcYAamww0HADfGTKdUR+aWgOK3vqu6Sicr1zbuZ jHCs2GaIgRoqh1HKVgCmaJYjizvidHluqrox6qqc9PG0bWb0f5xGQw+X2z+bEinzv4qaep1G 1OuYgvG49OpHTgZMiJq9ncHCxkD2VEJKgMywGJ4Agdl+NWVn0T7w6J+/5QmBIE8hh4NzpYfr xzWCJ9iZ3skG4zBGB4YEacc3+oeEoybc10h6tqhQNrtIiSRJH+SUJvOiNH8oMXPLAjfFVy3d 4BOgyxJhE0UhmQIQHMJxCBw81fQD10d0dcru0rAIEldEpt2UXqOr0rOALDievMF/2BKQiOA7 PbMC3/dwuNHDlClQzdjil8O7UsIgf3IMFaIbQoUEvjlgf5cm9a94gWABcfI1xadAq9vcIB5v +9fM71xDgdELnZThTd8LByrG99ExVMcG2PZYXJllVDQDZqYA1PjD9e0yHq5whJi3BrZgwDaL 5vYZEb1EMyH+BQLO3Zw/Caj8W6mooGHgNveRQ1g9FYn3NUp7UvS22Zt/KW4pCpbgkQZefxup KO6QVNwwggV44cTQ37z5onGbNPD8+2k2mmC0OEtGBkj+VH39tRk+uLOcuXlGNSVk3xOyxni0 Nk9M0GvTvPKoah9gkvL/+AofN/31ABEBAAHCwXwEGAEIACYCGwwWIQRyc1QrOZYt97KZkxQW eStOolNA+AUCZK2RDAUJDwAD8gAKCRAWeStOolNA+B0MEACVxFO++NroEQxSQ0NCWod3aDmY mYn+/08wLTeMP+ajq19FEjU0Lh/GBJl6WlSHeJ5ZJlNSiXZuiSYGMYm73DBaoZlyjbD+H9NL LwLXgtfCZYlN6Iu8JRMfk9yevVBay7Be9DkPAk565ggo0UkIjpYftiLF4TUfqnI1yO6QKXgr J2DDwlP3iiCYnWFpHdBTB2/BRurpZoRquhRGzgcdGfRDtp16Pzm/u8BjfaU5/AFRjM0IDYQ6 PaQld0uZSZ0qOn0ts6usJws5gANq4U1oWJlqL/PHOFy9mbwUnKqq0oiWrmj+Mb+Ic6m9fqB3 5CHWUhxC1QozvkuY/sTsmXnG/mnbq2oFIVcgXDsnrDHf+0GyR+TrE4AQw1Pt2utsmU67LqNB Ru/2NbSFgwPv5wWjtNwDVGSZEXlV4qJGjh8S9aaGXhRTwJsnN6qkFS1m6vHKwqnRb5Qy4XDg 7kDrhFnTWe+XSwQt+HtGvIiXcR3EScJky76YlVsWDtvZMo3NePaC3qV5HAC8d2ZL3sFqxJRu sRyjE2l6s0EEK2MUgV/dwodftECrMdGktndVTYPqLnsua/PWWKYwYrNvD8slL6VFkXDZvLLv nat9vl9mBm15b76RHvKNlRcPbB9YYCbS5fhN2ObAsVbV1c5TdBCp8lp1Fa3YK0TA+WpNZVHK vjq6hMJAjA== Organization: Red Hat X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Raising this on libc-alpha for a broader discussion. For CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602 the glibc security team has not yet published the CVE IDs, only reserved the block. I have just completed filling in the advisories and have all the data for publishing them along with publishing the CVE IDs [1]. I could have published the CVE IDs *earlier* but my reading of the CNA rules is that: ~~~ 2.2.3 SHOULD provide the CVE Record information within 24 hours of publishing the CVE ID. ~~~ So once I publish the CVE ID I need to move quickly to fill in all the record information... which I don't have until I complete the advisory text. For these CVE IDs it will have been ~7-8 days to publish, which is too long IMO, but we can improve that. Under embargo was certainly easier because the timeline gives us time to write the advisory text and get it ready for publishing. Would it be better if we just published interm text and updated as we go? -- Cheers, Carlos. [1] https://inbox.sourceware.org/libc-alpha/20240502020121.3267018-1-carlos@redhat.com/T/#m749caf9d5b5e7093efe1bb2ae4cb413ec9749ad4