Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2016 22:29:16 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: ADOdb PDO driver: incorrect quoting may allow
 SQL injection

On 2016-09-14 10:22:58 -0600 (-0600), Kurt Seifried wrote:
> Ideally people should get CVEs and then post to oss-security with the
> information and the CVE. A lot of people consume the list data and the
> current method means that people end up searching their DBs, making sure
> it's new, then entering it, then updating it with a CVE. If people got CVEs
> first this would vastly simplify things.

At least for some projects, if a vulnerability is already public or
becomes public prior to requesting a CVE privately from some CNA, it
makes more sense to go ahead and widely inform the community (via
this ML and elsewhere) and then associate a CVE with it afterward.
While having a unique identifier is important, I think rapid
dissemination of vulnerabilities so that downstream users can patch
their systems is more important.
-- 
Jeremy Stanley

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ