Date: Fri, 30 Jan 2015 03:14:10 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On Fri, Jan 30, 2015 at 01:00:35AM +0100, Hanno B??ck wrote: > At some point I stopped caring too much about CVEs FWIW, I never cared about them much. But I do care about the confusion and its possible negative impact: > because I felt waiting for them stops me from reporting more issues. Huh?! IMO, no one should ever wait for a CVE before reporting an issue! If it is possible to get a CVE assigned during an embargo period that would exist anyway, and without disclosing the vulnerability detail to any extra party, great! (e.g. this happens for issues handled via the distros list, where CVEs are currently getting assigned from Red Hat's pool without having to inform any extra party.) If this is not possible, then do without CVE (and one may be assigned when the issue is already public in here). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ