Date: Wed, 14 Sep 2016 22:29:16 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection On 2016-09-14 10:22:58 -0600 (-0600), Kurt Seifried wrote: > Ideally people should get CVEs and then post to oss-security with the > information and the CVE. A lot of people consume the list data and the > current method means that people end up searching their DBs, making sure > it's new, then entering it, then updating it with a CVE. If people got CVEs > first this would vastly simplify things. At least for some projects, if a vulnerability is already public or becomes public prior to requesting a CVE privately from some CNA, it makes more sense to go ahead and widely inform the community (via this ML and elsewhere) and then associate a CVE with it afterward. While having a unique identifier is important, I think rapid dissemination of vulnerabilities so that downstream users can patch their systems is more important. -- Jeremy Stanley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ