Date: Mon, 7 Aug 2017 01:03:53 +0000 From: ne xo <nexo123@...look.kr> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Cve issue discussion Hello, I am curious about issuing CVEs. I can see that a "NULL pointer dereference" or a bug where the exploit has not been verified also get a CVE. heap-overflows may or may not be exploitable. It takes a lot of time to analyze the exploit and create the exploit code. Is it right to be assigned a CVE only if it is exploitable? Or do you think all bugs need to get a CVE? Thanks. --- ref --- http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer dereference http://www.openwall.com/lists/oss-security/2017/04/10/15 - memory allocation failure
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ