Date: Sun, 17 Sep 2017 14:55:12 +0300 From: Alexander Batischev <eual.jp@...il.com> To: Solar Designer <solar@...nwall.com> Cc: oss-security@...ts.openwall.com Subject: Re: Podbeuter podcast fetcher: remote code execution Hi, This has been assigned CVE-2017-14500: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 On Sat, Sep 16, 2017 at 09:05:44PM +0200, Solar Designer wrote: >"Instead, please start by posting about the (to be made) public issue >to oss-security (without a CVE ID), request a CVE ID from MITRE >directly, and finally "reply" to your own posting when you also have >the CVE ID to add." I was under impression that having a CVE ID speeds up processes in distros, and fixes are released quicker. That's why for my previous (and first ever) vulnerability I first got an ID and only then released the details and the patch. The assignment took just a day. Was my impression wrong? I just want to do things "right", so that attackers have as little time as possible to exploit users. (I do realize this all is best-effort and distros might still take time to release, and then users might take ages to upgrade.) Now that I had an experience of waiting for three weeks, I'll also re-consider if I want to become a CNA for my project. Previously it seemed like a hassle; I'm not so sure now. -- Regards, Alexander Batischev PGP key 356961A20C8BFD03 Fingerprint: CE6C 4307 9348 58E3 FD94 A00F 3569 61A2 0C8B FD03 Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ