Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 01:03:53 +0000
From: ne xo <nexo123@...look.kr>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Cve issue discussion

Hello,


I am curious about issuing CVEs.

I can see that a "NULL pointer dereference" or a bug where the exploit has not been verified also get a CVE.


heap-overflows may or may not be exploitable.


It takes a lot of time to analyze the exploit and create the exploit code.


Is it right to be assigned a CVE only if it is exploitable?


Or do you think all bugs need to get a CVE?


Thanks.

---

ref

---

[1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer dereference
[2]http://www.openwall.com/lists/oss-security/2017/04/10/15 - memory allocation failure

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ