Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 11:44:53 -0500 (CDT)
From: Bob Friesenhahn <>
To: oss-security <>
Subject: Re: A bunch of duplicate CVEs requested for?? bho..

On Tue, 29 Aug 2017, Agostino Sarubbo wrote:

> Hi all.
> In the last time there are some people that run afl for fuzzing...that's just
> fine and great. Some people miss to communicate their findings to upstream and
> request a CVE from mitre.
> However I'm noticing that every day there are new duplicates, let me post some
> examples:

It is important to keep in mind that CVEs are issued against 
"products".  There might be a CVE issued against a software version 
distributed by Red Hat or Debian which is not applicable to the 
upstream version.  Since each distribution patches their version it is 
difficult to know the "product" that a particular CVE is applicable 

I agree that in my personal experience upstream maintainers are rarely 
involved in the CVE process.

Bob Friesenhahn,
GraphicsMagick Maintainer,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ