Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 00:21:23 +0200
From: Alessandro Ghedini <ghedo@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE Request - tidy 0.99 / tidy5
 heap-buffer-overflow

On Tue, Jul 14, 2015 at 12:03:03AM +0200, Alessandro Ghedini wrote:
> On Mon, Jul 13, 2015 at 05:37:49PM -0400, cve-assign@...re.org wrote:
> > One complication here is that the CVE request was sent to oss-security
> > without mentioning that a CVE request had been sent privately to one
> > Linux distribution a few weeks before that. See:
> > 
> >   https://github.com/htacg/tidy-html5/issues/217#issue-84488886
> > 
> >   I contacted Debian about the issue on May 17, so far I have not
> >   received a response about a CVE assignment.
> >   ...
> >   Date: Sun, May 17, 2015 at 8:11 PM
> >   Subject: tidy heap-buffer-overflow
> >   To: security@...ian.org
> > 
> > (added security@...ian.org to the Cc line)
> > 
> > Our only question for Debian is: did Debian already assign any CVE
> > ID(s) for this? If not, then MITRE will.
> 
> No, we did not assign any CVE for this issue.
> 
> FWIW the reason was that by the time we got around to replying to Fernando, the
> issue had already been made public on GitHub so we recommended him to come
> straight to oss-security for a CVE assignment.

CCing cve-assign as well.

Cheers

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ