Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Jan 2015 03:14:10 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Fri, Jan 30, 2015 at 01:00:35AM +0100, Hanno B??ck wrote:
> At some point I stopped caring too much about CVEs

FWIW, I never cared about them much.  But I do care about the confusion
and its possible negative impact:

> because I felt waiting for them stops me from reporting more issues.

Huh?!  IMO, no one should ever wait for a CVE before reporting an issue!

If it is possible to get a CVE assigned during an embargo period that
would exist anyway, and without disclosing the vulnerability detail to
any extra party, great!  (e.g. this happens for issues handled via the
distros list, where CVEs are currently getting assigned from Red Hat's
pool without having to inform any extra party.)  If this is not
possible, then do without CVE (and one may be assigned when the issue is
already public in here).

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ