From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id D9A1E3846062 for ; Thu, 2 May 2024 21:40:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D9A1E3846062 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D9A1E3846062 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714686024; cv=none; b=USZGH9698fd7o9AtW3riPg5LHnAnUwN0thqXqZ9XdZyVe3lqWPKREZEW+JUr/fhH8kAnXfJl/rA8YcUt2rnFUGjG67VSQI5dTc3agd3fwR/FzODy6yQbvDxZaKIq/jnowUW8sqVOlwy5sf4kC7s9FkGdRYziT9Li60x+6QX2Fkc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1714686024; c=relaxed/simple; bh=t3PuaRXRqAMBCkKdGlBD08UKjel7p76FzKVj8cus8Vc=; h=DKIM-Signature:Message-ID:Date:MIME-Version:To:From:Subject; b=WIjwCeGstvEMrWuGzWVmd6Eda0I8ylc2UZm2WtzZoT/kXrAb2J3uRcbHOxX47jQf6bK8mzWbmPgmkNzik3URDULJ60xuQnyquuIU467mxIOL1AKZuyJ8hjuBCMKXKA5ZWoPSl0Lm8LaiFcUq8jn4HPgjR0QgTn/4dhqXyYOLQmk= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714686022; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:autocrypt:autocrypt; bh=0o1S/u7r4tLzHTy2Fwy/z5GWFnlulyxfo/nwuThtZCQ=; b=I98tchPTvRxVzaZJfECljkHFej6ZdeYp0RGeV5BlcKpN8kSChMahgXBPiCrmlWrXJI/HZz sp/P5xairPlyTO6YPpS2FWv1FMzQWu21Ng5Gjb+2uXCSp3e3Nu5Ks+eN22ArNEKJkZmT0p xYCW3+tQemHgjwwUl0viKJIzULn0LMg= Received: from mail-ot1-f70.google.com (mail-ot1-f70.google.com [209.85.210.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-546-z5eMcy-0PN2IjDM-91fsUA-1; Thu, 02 May 2024 17:40:21 -0400 X-MC-Unique: z5eMcy-0PN2IjDM-91fsUA-1 Received: by mail-ot1-f70.google.com with SMTP id 46e09a7af769-6ee4037d61aso5828605a34.1 for ; Thu, 02 May 2024 14:40:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714686020; x=1715290820; h=content-transfer-encoding:organization:autocrypt:subject:from:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0o1S/u7r4tLzHTy2Fwy/z5GWFnlulyxfo/nwuThtZCQ=; b=MCr2bVvQE10djd2F3WQHsl8K+3Z39MUgQyfVsaJhD1qjHgya2EPL+0xe0m3kx/bALs U+8iKzuwn+u+Ud/dlT27TNILZTU4tLCl5Z+c2UQ+/fdTkLNLaQZEZzjUdHO+HAS1SCG0 cGT0KiyCGm/GJokuuAzM0fW20TMdk3Ht0TtfHISRNMKysqJOygPHaSDaIcD9eCdFSUgl 85LIenxUetorTUeFh6OhdUY086YIOlNRwPgRXUe3TqruS0JD6PRmF5llhwu9VcPtL8/P jq45s5nZHP/jONQ1IP/aFDX6KLg3z0V5OrwUKyG00Ap8UV/Yw1kl4QgQXBAkctDKxzTo vPAA== X-Gm-Message-State: AOJu0Yz3J7X4pm1xwfj3qpZDLtFbm8Dyi3ahsyfZ+StPiWaKElb4TTKH B5dcqwONiaNWhGDXrx/dFXtN8wuA1x5MbEIJ74SS1FpVPhUSBTSCdONME/WihhLeh7emZATQZa6 N3G4Hq1ffAJfZ3SdWV0z5QbNDn8lyeffHCHEMlBS3UEEhJgYBy1+aEx/0ON9jRX4pXNrhUEvtrO 2ajecZQ91Ben6RmiAKsqmK4znTc/mMUYccTuQVF2s= X-Received: by 2002:a05:6830:22d7:b0:6ee:3837:dda9 with SMTP id q23-20020a05683022d700b006ee3837dda9mr1171827otc.22.1714686020175; Thu, 02 May 2024 14:40:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGZZ5EOF3XaB31sr2N8jdv+FbfPt5BFUKkKdxb4y41IdZDwAPGimxiPR/lCZxl4OhxZxlh6sQ== X-Received: by 2002:a05:6830:22d7:b0:6ee:3837:dda9 with SMTP id q23-20020a05683022d700b006ee3837dda9mr1171815otc.22.1714686019688; Thu, 02 May 2024 14:40:19 -0700 (PDT) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id r8-20020a05620a298800b0078f060405a3sm678626qkp.80.2024.05.02.14.40.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 02 May 2024 14:40:19 -0700 (PDT) Message-ID: Date: Thu, 2 May 2024 17:40:18 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: libc-alpha , Siddhesh Poyarekar , Adhemerval Zanella From: Carlos O'Donell Subject: Content of glibc advisories vs. CVE JSON v5 and CNA rules? Autocrypt: addr=carlos@redhat.com; keydata= xsFNBFef5BoBEACvJ15QMMZh4stKHbz0rs78XsOdxuug37dumTx6ngrDCwZ61k7nHQ+uxLuo QvLSc6YJGBEfiNFbs1hvhRFNR7xJbzRYmin7kJZZ/06fH2cgTkQhN0mRBP8KsKKT+7SvvBL7 85ZfAhArWf5m5Tl0CktZ8yoG8g9dM4SgdvdSdzZUaWBVHc6TjdAb9YEQ1/jpyfHsQp+PWLuQ ZI8nZUm+I3IBDLkbbuJVQklKzpT1b8yxVSsHCyIPFRqDDUjPL5G4WnUVy529OzfrciBvHdxG sYYDV8FX7fv6V/S3eL6qmZbObivIbLD2NbeDqw6vNpr+aehEwgwNbMVuVfH1PVHJV8Qkgxg4 PqPgQC7GbIhxxYroGbLJCQ41j25M+oqCO/XW/FUu/9x0vY5w0RsZFhlmSP5lBDcaiy3SUgp3 MSTePGuxpPlLVMePxKvabSS7EErLKlrAEmDgnUYYdPqGCefA+5N9Rn2JPfP7SoQEp2pHhEyM 6Xg9x7TJ+JNuDowQCgwussmeDt2ZUeMl3s1f6/XePfTd3l8c8Yn5Fc8reRa28dFANU6oXiZf 7/h3iQXPg81BsLMJK3aA/nyajRrNxL8dHIx7BjKX0/gxpOozlUHZHl73KhAvrBRaqLrr2tIP LkKrf3d7wdz4llg4NAGIU4ERdTTne1QAwS6x2tNa9GO9tXGPawARAQABzSpDYXJsb3MgTydE b25lbGwgKFdvcmspIDxjYXJsb3NAcmVkaGF0LmNvbT7CwZUEEwEIAD8CGwMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAFiEEcnNUKzmWLfeymZMUFnkrTqJTQPgFAmStkMYFCQ8AA6UACgkQ FnkrTqJTQPjRTxAAnKmRztRqcP4bgMeweR3rMxDEtwQhciDybB7RgBeuZHCbY6Hmqx2so4gH 2rG9EoBJM1RZKyqztVJ2WbGPzEb4ZAW/AjmttIoN1tSdACGBbd8kPNUzJd+QsCiWGNtyaJw6 /HTLj9JRdGN16b+DzUJxww3gYZYTTkhSNUVjcrw7hzXU0Zb3z9/evXv26SDbNCqSfhAm7tNE 8ceH9H8dTcalNUPJO7bgXRhXORj9OciJrMnpPs6P4U5f/IkcVSZS1t+6R0KPWeEUXGlegTFK F1cKsSoil8mYajqAheuqbjtPHPh55dHTbG35ngjNSZyiM54PdMW5SR6zog3RAlYnuPg09g21 n9Y/ihuEZZve57Gp5wHUwNE+RKRByLlRF3Zezz6jKfjLyHqJYK8d8+vuFO1vca5OfxCEf33Y 8pLhARmHXG6mzRdji1e7Ugob2OQbvM1XWkInA+NyGeqLlE7ZnzVME5kmYVa/+qjdoqEgAqKz EdcknAZ0uud8xuAqven5X17+bBY16RZHOysOcBiGGC2E1A8Xni8cO+vH6NTCjK+OAk7UXgWB +9MFvsi7WHDJAjVlpOwuRYDWjZ8o8HhkByMAhPEzjySR9G1bzHKNOVQNFpHPTP8a5LJR6nX/ QdjKAC0bOR1TxNeK6T0h+E0iPnwWIJ6ezimzwdRl0oCbj02giyPOwU0EV5/kGgEQAKvTJke+ QSjATmz11ALKle/SSEpUwL5QOpt3xomEATcYAamww0HADfGTKdUR+aWgOK3vqu6Sicr1zbuZ jHCs2GaIgRoqh1HKVgCmaJYjizvidHluqrox6qqc9PG0bWb0f5xGQw+X2z+bEinzv4qaep1G 1OuYgvG49OpHTgZMiJq9ncHCxkD2VEJKgMywGJ4Agdl+NWVn0T7w6J+/5QmBIE8hh4NzpYfr xzWCJ9iZ3skG4zBGB4YEacc3+oeEoybc10h6tqhQNrtIiSRJH+SUJvOiNH8oMXPLAjfFVy3d 4BOgyxJhE0UhmQIQHMJxCBw81fQD10d0dcru0rAIEldEpt2UXqOr0rOALDievMF/2BKQiOA7 PbMC3/dwuNHDlClQzdjil8O7UsIgf3IMFaIbQoUEvjlgf5cm9a94gWABcfI1xadAq9vcIB5v +9fM71xDgdELnZThTd8LByrG99ExVMcG2PZYXJllVDQDZqYA1PjD9e0yHq5whJi3BrZgwDaL 5vYZEb1EMyH+BQLO3Zw/Caj8W6mooGHgNveRQ1g9FYn3NUp7UvS22Zt/KW4pCpbgkQZefxup KO6QVNwwggV44cTQ37z5onGbNPD8+2k2mmC0OEtGBkj+VH39tRk+uLOcuXlGNSVk3xOyxni0 Nk9M0GvTvPKoah9gkvL/+AofN/31ABEBAAHCwXwEGAEIACYCGwwWIQRyc1QrOZYt97KZkxQW eStOolNA+AUCZK2RDAUJDwAD8gAKCRAWeStOolNA+B0MEACVxFO++NroEQxSQ0NCWod3aDmY mYn+/08wLTeMP+ajq19FEjU0Lh/GBJl6WlSHeJ5ZJlNSiXZuiSYGMYm73DBaoZlyjbD+H9NL LwLXgtfCZYlN6Iu8JRMfk9yevVBay7Be9DkPAk565ggo0UkIjpYftiLF4TUfqnI1yO6QKXgr J2DDwlP3iiCYnWFpHdBTB2/BRurpZoRquhRGzgcdGfRDtp16Pzm/u8BjfaU5/AFRjM0IDYQ6 PaQld0uZSZ0qOn0ts6usJws5gANq4U1oWJlqL/PHOFy9mbwUnKqq0oiWrmj+Mb+Ic6m9fqB3 5CHWUhxC1QozvkuY/sTsmXnG/mnbq2oFIVcgXDsnrDHf+0GyR+TrE4AQw1Pt2utsmU67LqNB Ru/2NbSFgwPv5wWjtNwDVGSZEXlV4qJGjh8S9aaGXhRTwJsnN6qkFS1m6vHKwqnRb5Qy4XDg 7kDrhFnTWe+XSwQt+HtGvIiXcR3EScJky76YlVsWDtvZMo3NePaC3qV5HAC8d2ZL3sFqxJRu sRyjE2l6s0EEK2MUgV/dwodftECrMdGktndVTYPqLnsua/PWWKYwYrNvD8slL6VFkXDZvLLv nat9vl9mBm15b76RHvKNlRcPbB9YYCbS5fhN2ObAsVbV1c5TdBCp8lp1Fa3YK0TA+WpNZVHK vjq6hMJAjA== Organization: Red Hat X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: I want to make it as easy as a cut-and-paste to complete the work of publishing the CVE data when the advisory text is complete. When the glibc security team publishes an advisory as part of CNA process we must comply with the CNA Rules and our goal is to use CVE JSONv5 format uploads. The JSONv5 format has a title and description field that must be provided. The most interesting part is that the CVE description has some explicit requirements in [1] that mean we would adopt similar requirements for the text of our own advisories. My opinion is as follows: - The first line of our advisories should be the CVE title. - The descriptive text of the advisory should be the CVE description. - Note the rules say "8.2.6 MAY contain information not listed here." so we can provide whatever else we want. Thoughts? -- Cheers, Carlos. [1] https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-2_cve_record_prose_description_requirements