Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Aug 2010 13:00:27 -0400 (EDT)
From: "Steven M. Christey" <>
To: Tomas Hoger <>
        Thomas Biege <>, Moritz Muehlenhoff <>,
        "Steven M. Christey" <>
Subject: Re: CVE request: PHP MOPS-2010-56..60

On Tue, 24 Aug 2010, Tomas Hoger wrote:

> Standard practice is to use new CVE.  As all 5 phar MOPS were covered
> under single CVE, and not all of them were fixed in 5.3.3, I'd expect a
> new "incomplete fix" CVE.

That's appropriate in this case.  I'll let Josh assign a CVE to avoid the 
possibility of dupes.

General practice (subject to modification on a case-by-case basis) is:

- issue was never fixed and never claimed to be fixed: use original CVE
   (probably triggers an update to description for affected versions)

- issue was claimed fixed but the fix was incomplete: use new CVE

- issue was never fixed but claimed to be fixed: ??? (it's happened a few

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.