Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Mar 2017 12:27:47 -0700
From: Seth Arnold <>
Subject: Re: Dealing with CVEs that apply to unspecified
 package versions

On Wed, Mar 15, 2017 at 06:12:52PM +0100, Ludovic Court├Ęs wrote:
> I can think of two actions that could perhaps be taken:
>   1. The software behind the CVE form could force submitters to specify
>      version numbers.

"No fix is currently available" would be difficult to accurately describe.
Sometimes the software is abaondware, and no fix will ever be available.
Sometimes the software is a hobby and only fun features get implemented
but difficult fixes do not. Sometimes the fix will be in the next release.

>   2. For recent entries (say, 2 years old at most), a bot could email
>      the original submitters kindly asking them to provide the missing
>      version info.

I know some submitters who would probably have to invest in new /dev/null
procmail entries if we mailed them once for every CVE they've been issued. :)

I suspect the solution is for people who rely upon these scanning tools to
do the leg work themselves on the packages they care about. (i.e., the
packages that annoy them the most.)


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.