Date: Wed, 19 Oct 2011 18:07:34 -0400 From: Anthon Pang <anthon.pang@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE request: piwik before 1.6 AFAIK there's been no official change in disclosure policy by the Piwik project. Advisories are separate from the release notes/changelog and are typically published within a week of release. That said, I expect this will take longer than usual given the number of vulnerabilities addressed in this release. Sent from my iPhone On 2011-10-19, at 12:58 PM, "Steven M. Christey" <coley@...-smtp.mitre.org> wrote: > > On Wed, 19 Oct 2011, Hanno B鐼k wrote: > >> Regarding CVEs, i suggest adding one for every name, e.g. >> "Unknown security vulnerability in piwik before 1.6 discovered by >> Alexandru Pitis" etc., until we know more about it. > > This is consistent with current practice, where we assign separate CVEs for issues found by different researchers. With the (limited) knowledge that's available right now, all the vulns are the same type, i.e., "unspecified." > > - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.