Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Jul 2013 10:14:12 +0100
From: Matthew Wilkes <matthew@...thewwilkes.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - PloneFormGen, multiple vulnerabilities

> But I also want to make sure CVE's get assigned correctly. So three
> main problems arise

Kurt, I get it. Really. I'll make sure code commits are included in 
future. I don't think anyone's being deliberately obstructive here, I 
know I certainly try my best to give you clear, short descriptions so 
that you don't have to waste time going through others' code if you 
don't need to. I'm not trying to make your job harder, I'm trying to help.

> Having QUICK access to the source code vulns/corrections makes all the
> above much much easier.

Sure, I'll make sure you have it it future. From my point of view, 
however, a lot of these things are caused by subtle interactions of 
various mistakes that would be harmless on their own. That makes it 
harder to provide useful source code as it could easily look correct. 
For example, the Zope application server uses the presence of 
documentation as an in-band marker of if something is public or private; 
just sending you a link to the removal of docs would be pretty confusing.

> You're not asking for CVE's in a vacuum. CVE's are widely used by
> literally millions of people and organizations, we need to make sure
> they are done right or we will cause an obscene amount of time and
> money to be wasted.

The reason I write descriptions and include my estimates of CWE 
identifiers and CVSS scores is precisely because I know lots of people 
read these lists, and it matters to me to reduce the amount of work they 
have to go through.  I'd be surprised to learn that more people care 
about the commits themselves rather than the information in an easy to 
consume format.

> CVE assignment to follow tomorrow because it's 3am here.

Thank you, it's appreciated.

Matt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.