Date: Tue, 11 Aug 2015 13:10:41 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: oss-security@...ts.openwall.com Subject: Re: CVE for crypto_get_random() from libsrtp On 2015-08-11 14:58:10 +0200 (+0200), Adam Maris wrote: > On 11/08/15 13:48, Jeremy Stanley wrote: > > On 2015-08-11 09:51:50 +0200 (+0200), Adam Maris wrote: > > [...] > > > Unless CVE is assigned, we don't plan to ship any patch at the > > > moment. [...] > > if a CVE is assigned for a bug you consider to have minimal > > impact, do you release a patch for it anyway just because > > there's a CVE? [...] > If a CVE is assigned for this issue, we will create an entry in > our CVE database but the end result will likely be the same, > wontfix. That makes more sense. I read your initial "Unless CVE is assigned" comment to mean that you were going to base your decision on whether to distribute a fix on MITRE's classification process rather than on your own due diligence. Thanks for clarifying! -- Jeremy Stanley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ