Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260321180013.GA20708@openwall.com>
Date: Sat, 21 Mar 2026 19:00:13 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Buffer overflow in /bin/su from UNIX v4

On Sat, Mar 21, 2026 at 01:13:47PM -0400, kf503bla@...k.com wrote:
> why assign cve to something irrelvent?

I guess because (ir)relevance isn't among criteria for (not) assigning a
CVE, and because there may be value in having a non-ambiguous way to
refer to historical vulnerabilities for illustration of how the current
ones fit in historical context.

That said, I'm sure there are other cases of historical vulnerabilities
that never got CVEs.  Some were known prior to the CVE program start, so
would need CVEs from before 1999.  I think there's some value in that,
but it would be a change.  CVEs were not assigned for pre-1999 findings
so far.

The 2025 in this CVE is almost certainly wrong, but I understand that no
one had the resources to figure out the year it was first discovered.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.