Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 17 Sep 2017 14:55:12 +0300
From: Alexander Batischev <eual.jp@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Podbeuter podcast fetcher: remote code execution

Hi,

This has been assigned CVE-2017-14500: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500

On Sat, Sep 16, 2017 at 09:05:44PM +0200, Solar Designer wrote:
>"Instead, please start by posting about the (to be made) public issue 
>to oss-security (without a CVE ID), request a CVE ID from MITRE 
>directly, and finally "reply" to your own posting when you also have 
>the CVE ID to add."

I was under impression that having a CVE ID speeds up processes in 
distros, and fixes are released quicker. That's why for my previous (and 
first ever) vulnerability I first got an ID and only then released the 
details and the patch. The assignment took just a day.

Was my impression wrong? I just want to do things "right", so that 
attackers have as little time as possible to exploit users. (I do 
realize this all is best-effort and distros might still take time to 
release, and then users might take ages to upgrade.)

Now that I had an experience of waiting for three weeks, I'll also 
re-consider if I want to become a CNA for my project. Previously it 
seemed like a hassle; I'm not so sure now.

-- 
Regards,
Alexander Batischev

PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94  A00F 3569 61A2 0C8B FD03


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ