Date: Tue, 29 Aug 2017 11:44:53 -0500 (CDT) From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: A bunch of duplicate CVEs requested for?? bho.. On Tue, 29 Aug 2017, Agostino Sarubbo wrote: > Hi all. > > In the last time there are some people that run afl for fuzzing...that's just > fine and great. Some people miss to communicate their findings to upstream and > request a CVE from mitre. > However I'm noticing that every day there are new duplicates, let me post some > examples: It is important to keep in mind that CVEs are issued against "products". There might be a CVE issued against a software version distributed by Red Hat or Debian which is not applicable to the upstream version. Since each distribution patches their version it is difficult to know the "product" that a particular CVE is applicable to. I agree that in my personal experience upstream maintainers are rarely involved in the CVE process. Bob -- Bob Friesenhahn bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ