On 1/10/20 2:28 PM, Stephan Zeisberg wrote:
So far I have not requested a CVE-Id for the issue. That's what Howard wrote in this regard:
Usual practice for CVEs is not to make them public until fixes are released. In the future, you should tick the Major Security Issue button for potential CVEs so they can be handled privately before release.>
I am not aware of a release including the bugfix for the issue. If the release already exists I am happy to request a CVE-Id for it
First of all, many thanks for finding and submitting issues like this.
Disclaimer: I'm not an official OpenLDAP project member and I'm not an expert for this CVE-ID process.
From my understanding you can request a CVE-ID which is kept
confidential until the vendor developed a fix. This is useful to already have a unique reference for all the work done upstream to fix a particular security issue and for applying back-port patches to downstream packages (e.g. in Linux distributions).
Furthermore OpenLDAP's ITS allows to mark an issue as security issue which hides it from public access.
I read Howard's comment that he meant exactly this.
Ciao, Michael.