Date: Tue, 11 Aug 2015 11:48:02 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: CVE for crypto_get_random() from libsrtp On 2015-08-11 09:51:50 +0200 (+0200), Adam Maris wrote: [...] > Unless CVE is assigned, we don't plan to ship any patch at the moment. I find this an interesting stance. Don't you decide on your own whether your customers are impacted by a bug sufficiently to require a fix (security vulnerability or otherwise)? It seems reasonable to me that you would choose whether or not to ship a patch independently of how MITRE chooses to classify (or not) the associated bug... and vice versa, if a CVE is assigned for a bug you consider to have minimal impact, do you release a patch for it anyway just because there's a CVE? -- Jeremy Stanley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.