Date: Wed, 15 Mar 2017 12:27:47 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Dealing with CVEs that apply to unspecified package versions On Wed, Mar 15, 2017 at 06:12:52PM +0100, Ludovic Courtès wrote: > I can think of two actions that could perhaps be taken: > > 1. The software behind the CVE form could force submitters to specify > version numbers. "No fix is currently available" would be difficult to accurately describe. Sometimes the software is abaondware, and no fix will ever be available. Sometimes the software is a hobby and only fun features get implemented but difficult fixes do not. Sometimes the fix will be in the next release. > 2. For recent entries (say, 2 years old at most), a bot could email > the original submitters kindly asking them to provide the missing > version info. I know some submitters who would probably have to invest in new /dev/null procmail entries if we mailed them once for every CVE they've been issued. :) I suspect the solution is for people who rely upon these scanning tools to do the leg work themselves on the packages they care about. (i.e., the packages that annoy them the most.) Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ