Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 8 Jul 2010 22:44:14 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kurt@...fried.org>
Subject: Re: Bugzilla 3.7.1 CVE request

Reed Loden wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Tue, 6 Jul 2010 00:51:40 -0600
> Kurt Seifried <kurt@...fried.org> wrote:
> 
> > CVE # for this please.
> > 
> > http://www.bugzilla.org/security/3.7.1/
> 
> This security issue only affects the 3.7 and 3.7.1 development
> "snapshots" (basically, alpha/beta quality). It's highly unlikely that
> any distro would be tracking this unstable version/branch, so is a CVE
> really required? If so, Mozilla can assign one from its pool.
> 
> I usually deal with getting CVEs assigned for Bugzilla issues, and I
> just didn't think this one required one... However, maybe I was
> mistaken in that.

I don't think that development snapshots needs a CVE ID, but there's 
at least one more Bugzilla vulnerability fixed in a release which hasn't 
been assigned a CVE ID so far:

http://www.bugzilla.org/security/3.2.3/
https://bugzilla.mozilla.org/show_bug.cgi?id=495257

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ