Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Mar 2017 18:56:52 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Leo Famulari <leo@...ulari.name>
Subject: Re: Dealing with CVEs that apply to unspecified
 package versions

On Wed, 15 Mar 2017 at 18:12:52 +0100, Ludovic Courtès wrote:
>   1. The software behind the CVE form could force submitters to specify
>      version numbers.

That isn't going to work. Not all of the software of interest to major
OS distributions even *has* a version number :-(

(I am not arguing that software *shouldn't* have releases with version
numbers, only that sometimes it *doesn't*; this is a statement about
reality, not about best-practice.)

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ