remove_dir_all CVE ID should be different to the rust-lang.org one.

CVE ID should be different to the rust-lang.org one.

Open rbtcollins opened this issue 2 years ago • 3 comments

This is on me, but I didn't get the right pattern for referring to the Rust CVE vs this CVE - are we able to get the advisory to have its own distinct CVE? @pietroalbini advises that scanners could be confused by the same CVE ID being used, and since the point of the vuln system is to let people know when they have to fix something, we should help them as much as possible,

Feb 24 '23 13:02 rbtcollins

Not sure if you can request an ID from GitHub once the advisory has been published, but it should be possible at least to remove the CVE ID from the advisory before it's picked up by dependabot.

Feb 24 '23 13:02 pietroalbini

I have removed it, let me know if there's something it should be.

Feb 24 '23 13:02 XAMPPRocky

Thanks! In theory a new CVE ID should be requested, not sure if GitHub allows doing so after the advisory is public. Worst case go through MITRE.

Feb 24 '23 13:02 pietroalbini

remove_dir_all remove_dir_all copied to clipboard

CVE ID should be different to the rust-lang.org one.

remove_dir_all
remove_dir_all copied to clipboard