Date: Tue, 14 Jul 2015 00:21:23 +0200 From: Alessandro Ghedini <ghedo@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow On Tue, Jul 14, 2015 at 12:03:03AM +0200, Alessandro Ghedini wrote: > On Mon, Jul 13, 2015 at 05:37:49PM -0400, cve-assign@...re.org wrote: > > One complication here is that the CVE request was sent to oss-security > > without mentioning that a CVE request had been sent privately to one > > Linux distribution a few weeks before that. See: > > > > https://github.com/htacg/tidy-html5/issues/217#issue-84488886 > > > > I contacted Debian about the issue on May 17, so far I have not > > received a response about a CVE assignment. > > ... > > Date: Sun, May 17, 2015 at 8:11 PM > > Subject: tidy heap-buffer-overflow > > To: security@...ian.org > > > > (added security@...ian.org to the Cc line) > > > > Our only question for Debian is: did Debian already assign any CVE > > ID(s) for this? If not, then MITRE will. > > No, we did not assign any CVE for this issue. > > FWIW the reason was that by the time we got around to replying to Fernando, the > issue had already been made public on GitHub so we recommended him to come > straight to oss-security for a CVE assignment. CCing cve-assign as well. Cheers [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ