Date: Wed, 14 Sep 2016 22:29:16 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection On 2016-09-14 10:22:58 -0600 (-0600), Kurt Seifried wrote: > Ideally people should get CVEs and then post to oss-security with the > information and the CVE. A lot of people consume the list data and the > current method means that people end up searching their DBs, making sure > it's new, then entering it, then updating it with a CVE. If people got CVEs > first this would vastly simplify things. At least for some projects, if a vulnerability is already public or becomes public prior to requesting a CVE privately from some CNA, it makes more sense to go ahead and widely inform the community (via this ML and elsewhere) and then associate a CVE with it afterward. While having a unique identifier is important, I think rapid dissemination of vulnerabilities so that downstream users can patch their systems is more important. -- Jeremy Stanley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.