Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 Apr 2012 21:07:17 -0600
From: Greg Knaddison <>
To: Kurt Seifried <>
Subject: Re: CVE's for Drupal Contrib 2012 001 through 057 (67
 new CVE assignments)

On Wed, Apr 11, 2012 at 8:10 PM, Kurt Seifried <> wrote:

> >>
> >> Direct links to the code commits fixing them would be nice =)
> >
> > We probably can't do this, though it is a fairly common request.
> > Our current policy is not to discuss the specific details for at
> > least 2 weeks and closer to 6 months if possible. Project usage
> > shows that most site builders don't upgrade very quickly.
> Hrmm yeah that's a tough one. Do you do any regression testing to make
> sure the new modules don't break things (if people know stuff is
> unlikely to break they are more likely to upgrade quickly, usually any
> ways).

As a project there is an automated testing framework integrated into the
code hosted on and a network of servers to run tests pretty
quickly, but very few of the contributed modules take advantage of it
(there are 16,000 of them after all). I don't think we've gone beyond
anecdotes for why people don't upgrade rapidly but it's definitely
something we're constantly working to improve the speed of the upgrade

> Perfect! I was just thinking, as long as the main project
> contributors/etc. (e.g. you guys in the case of Drupal) do the CVE
> requests in a regular and public way (e.g. to OSS-sec) than there is
> minimal chance of duplicates and other problems (e.g. someone else
> sending a request to Mitre directly or whatever).

Director Security Services | +1-720-310-5623
Skype: greg.knaddison | |

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.