Date: Thu, 9 Dec 2010 10:20:57 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: Re: NULL byte poisoning fix in php 5.3.4+ On Thu, 9 Dec 2010, Pierre Joye wrote: > We fixed it for all file functions. See the link to the commit for > more details about which codes have been changed. Do we need a CVE for > every function? I hope not :) Not really - if all functions were fixed in the same version, then that's not "textbook" CVE but close enough. The main drivers for my question were (a) were there any other issues that remain unfixed, and (b) in general we try to have the year portion of CVE IDs align with publication (except for year-crossing time frames like Dec/Jan). In this case it might have been more reasonable to assign a 1999 CVE, but the 2006 assignment isn't horrible either... - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ