Publishing security fixes without CVE numbers
Hauke Mehrtens
hauke at hauke-m.de
Wed Jun 10 16:32:16 PDT 2026
On 6/10/26 12:09, Hauke Mehrtens wrote:
> Hi,
>
> It takes a long time to get a CVE number assigned for a problem. In the
> past using the github advisory worked in ~2 business days, we are
> waiting for them over 1 week now. Directly over MITRE never worked for
> me, I waited there 2 weeks in the past and did not got an answer.
>
> I think we should publish fixes for security problems without a CVE
> number. If someone wants to assign a number to it later anyone can do this.
> Currently getting a CVE number delays the fixing of security problems by
> days or weeks and also takes effort on our side.
>
> Maybe the people at openwall have an idea:
> https://www.openwall.com/lists/oss-security/2026/06/10/1
>
> If this does not improve I suggest to not wait for a CVE number with
> publishing fixes and details about a security problem in the future.
>
> Hauke
The people at openwall were helpful. It looks like github is still the
easiest method to get a CVE number assigned, but they are overloaded
because they got more requests than they can handle and it just takes
longer now.
We will probably just continue with our process to get the fixes
published and will also publish them without CVE number assigned if we
do not get one in time. We can update the advisory later when we have a
CVE number.
Hauke
More information about the openwrt-adm
mailing list