Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 11:44:53 -0500 (CDT)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: A bunch of duplicate CVEs requested for?? bho..

On Tue, 29 Aug 2017, Agostino Sarubbo wrote:

> Hi all.
>
> In the last time there are some people that run afl for fuzzing...that's just
> fine and great. Some people miss to communicate their findings to upstream and
> request a CVE from mitre.
> However I'm noticing that every day there are new duplicates, let me post some
> examples:

It is important to keep in mind that CVEs are issued against 
"products".  There might be a CVE issued against a software version 
distributed by Red Hat or Debian which is not applicable to the 
upstream version.  Since each distribution patches their version it is 
difficult to know the "product" that a particular CVE is applicable 
to.

I agree that in my personal experience upstream maintainers are rarely 
involved in the CVE process.

Bob
-- 
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ