Date: Tue, 18 May 2010 13:39:37 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: Josh Bressers <bressers@...hat.com> cc: oss-security@...ts.openwall.com Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5 On Tue, 18 May 2010, Josh Bressers wrote: >> # [Sec] Only use forum id supplied for posting if global announcement >> detected. (Reported by nickvergessen) >> > > I don't understand what this means. Do you have more information? I don't know what it means either. Another part of daily life in CVE. However, the announcement comes from the vendor so we will ultimately call it an unspecified vuln with unknown impact and attack vectors related to "forum id" and "global announcement" or some equally useless description. So this could use a CVE, too. At worst it's a signal to consumers that they need to patch, even if the developer isn't clearly explaining why. Not much different than your typical Linux kernel bug, actually :-/ - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.