Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2016 22:29:16 +0000
From: Jeremy Stanley <>
Subject: Re: Re: ADOdb PDO driver: incorrect quoting may allow
 SQL injection

On 2016-09-14 10:22:58 -0600 (-0600), Kurt Seifried wrote:
> Ideally people should get CVEs and then post to oss-security with the
> information and the CVE. A lot of people consume the list data and the
> current method means that people end up searching their DBs, making sure
> it's new, then entering it, then updating it with a CVE. If people got CVEs
> first this would vastly simplify things.

At least for some projects, if a vulnerability is already public or
becomes public prior to requesting a CVE privately from some CNA, it
makes more sense to go ahead and widely inform the community (via
this ML and elsewhere) and then associate a CVE with it afterward.
While having a unique identifier is important, I think rapid
dissemination of vulnerabilities so that downstream users can patch
their systems is more important.
Jeremy Stanley

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.