On 1/10/20 2:28 PM, Stephan Zeisberg wrote:
> So far I have not requested a CVE-Id for the issue. That's what Howard
> wrote in this regard:
>
>> Usual practice for CVEs is not to make them public until fixes are
>> released. In the future, you should tick the Major Security Issue
>> button for potential CVEs so they can be handled privately before
>> release.>
> I am not aware of a release including the bugfix for the issue. If the
> release already exists I am happy to request a CVE-Id for it
First of all, many thanks for finding and submitting issues like this.
Disclaimer: I'm not an official OpenLDAP project member and I'm not an
expert for this CVE-ID process.
>From my understanding you can request a CVE-ID which is kept
confidential until the vendor developed a fix. This is useful to already
have a unique reference for all the work done upstream to fix a
particular security issue and for applying back-port patches to
downstream packages (e.g. in Linux distributions).
Furthermore OpenLDAP's ITS allows to mark an issue as security issue
which hides it from public access.
I read Howard's comment that he meant exactly this.
Ciao, Michael.