Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 00:03:03 +0200
From: Alessandro Ghedini <>
Subject: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

On Mon, Jul 13, 2015 at 05:37:49PM -0400, wrote:
> One complication here is that the CVE request was sent to oss-security
> without mentioning that a CVE request had been sent privately to one
> Linux distribution a few weeks before that. See:
>   I contacted Debian about the issue on May 17, so far I have not
>   received a response about a CVE assignment.
>   ...
>   Date: Sun, May 17, 2015 at 8:11 PM
>   Subject: tidy heap-buffer-overflow
>   To:
> (added to the Cc line)
> Our only question for Debian is: did Debian already assign any CVE
> ID(s) for this? If not, then MITRE will.

No, we did not assign any CVE for this issue.

FWIW the reason was that by the time we got around to replying to Fernando, the
issue had already been made public on GitHub so we recommended him to come
straight to oss-security for a CVE assignment.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.