Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Feb 2014 02:10:19 +0400
From: Solar Designer <>
Subject: Re: Request regarding posts to the lists

On Thu, Feb 20, 2014 at 02:38:50PM -0600, security curmudgeon wrote:
> please clearly identify the product in the subject line.

I support this request.  Luckily, most of the time this is already the case.

> Just including a sub-component or vulnerable functions and/or a CVE does 
> not tell us what software the mail is about. This has gotten out of hand 
> and in at least one case in the past few days, the entire mail never 
> clearly stated the software that was vulnerable. Sure, most of us know the 
> poster and it followed other advisories, but to newcomers or anyone 
> reaching that post via a Google search it is not very friendly.

I am a bit puzzled.  Are you possibly referring to the three Ruby
advisories posted on 2014/02/18?

If so, I doubt Aaron will notice your request - I think he's not
subscribed.  You might want to e-mail him privately, in case he intends
to post more advisories in the future.

Or maybe you were referring to Vincent's CVE request for
CGI::Application, which didn't mention Perl in the Subject line (but did
in the message body)?  This one actually looks OK with respect to your
request, since CGI::Application appears to be a product on its own (not
bundled with Perl).

I find no other examples of this problem "in the past few days",
although of course we've seen it numerous times before.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.