Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 00:21:23 +0200
From: Alessandro Ghedini <ghedo@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE Request - tidy 0.99 / tidy5
 heap-buffer-overflow

On Tue, Jul 14, 2015 at 12:03:03AM +0200, Alessandro Ghedini wrote:
> On Mon, Jul 13, 2015 at 05:37:49PM -0400, cve-assign@...re.org wrote:
> > One complication here is that the CVE request was sent to oss-security
> > without mentioning that a CVE request had been sent privately to one
> > Linux distribution a few weeks before that. See:
> > 
> >   https://github.com/htacg/tidy-html5/issues/217#issue-84488886
> > 
> >   I contacted Debian about the issue on May 17, so far I have not
> >   received a response about a CVE assignment.
> >   ...
> >   Date: Sun, May 17, 2015 at 8:11 PM
> >   Subject: tidy heap-buffer-overflow
> >   To: security@...ian.org
> > 
> > (added security@...ian.org to the Cc line)
> > 
> > Our only question for Debian is: did Debian already assign any CVE
> > ID(s) for this? If not, then MITRE will.
> 
> No, we did not assign any CVE for this issue.
> 
> FWIW the reason was that by the time we got around to replying to Fernando, the
> issue had already been made public on GitHub so we recommended him to come
> straight to oss-security for a CVE assignment.

CCing cve-assign as well.

Cheers

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.