How did it go? Did you get any response? On Mon, Jun 19, 2023 at 2:53 AM PJ Fanning <fannin...@apache.org> wrote:
> Thanks Mark. > > I've sent a message to Mitre disputing that CVE. > > On Mon, 19 Jun 2023 at 08:05, Mark J Cox <m...@apache.org> wrote: > > > > So in general you can always contact the CNA of last resort (Mitre) who > > will direct you to the right place if it's hard to figure out how/why > > something got assigned. > > > > However, you can find out the issuing CNA from the cve.org site; in this > > case https://www.cve.org/CVERecord?id=CVE-2023-35116 and 'view json' > gives > > you the CNA details as "mitre". So this one was not through a CNA but > > likely someone gave a direct request to Mitre via the request form. And > > hence > https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre > > so in this case using https://cveform.mitre.org/ is the contact method > for > > a dispute. > > > > Regards, Mark > > > > > > On Sun, Jun 18, 2023 at 6:45 PM PJ Fanning <fannin...@apache.org> wrote: > > > > > Hi everyone, > > > > > > There is a PDF about disputing a CVE but it does not say precisely who > > > to contact [1]. > > > > > > I have no idea who the CNA is in my case (CVE-2023-35116). > > > > > > The CVE that I want to dispute was added without any attempt to > > > contact the Jackson developers. Someone spotted a GitHub issue that we > > > explicitly rejected as a security issue. [2] [3] > > > > > > Does anyone know where we can find out who the CNA is? I guess even > > > knowing the CNA is only part of the way there because we will need to > > > find out how to file a complaint. > > > > > > Any help would be appreciated. > > > > > > Regards, > > > PJ > > > > > > > > > > > > [1] > > > > https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf > > > [2] > > > > https://github.com/CVEProject/cvelist/blob/master/2023/35xxx/CVE-2023-35116.json > > > [3] https://github.com/FasterXML/jackson-databind/issues/3972 > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > security-discuss-unsubscr...@community.apache.org > > > For additional commands, e-mail: > > > security-discuss-h...@community.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
