Date: Tue, 14 Jul 2015 00:03:03 +0200 From: Alessandro Ghedini <ghedo@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow On Mon, Jul 13, 2015 at 05:37:49PM -0400, cve-assign@...re.org wrote: > One complication here is that the CVE request was sent to oss-security > without mentioning that a CVE request had been sent privately to one > Linux distribution a few weeks before that. See: > > https://github.com/htacg/tidy-html5/issues/217#issue-84488886 > > I contacted Debian about the issue on May 17, so far I have not > received a response about a CVE assignment. > ... > Date: Sun, May 17, 2015 at 8:11 PM > Subject: tidy heap-buffer-overflow > To: security@...ian.org > > (added security@...ian.org to the Cc line) > > Our only question for Debian is: did Debian already assign any CVE > ID(s) for this? If not, then MITRE will. No, we did not assign any CVE for this issue. FWIW the reason was that by the time we got around to replying to Fernando, the issue had already been made public on GitHub so we recommended him to come straight to oss-security for a CVE assignment. Cheers Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ