Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.64.1005181336460.13965@faron.mitre.org>
Date: Tue, 18 May 2010 13:39:37 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Josh Bressers <bressers@...hat.com>
cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5


On Tue, 18 May 2010, Josh Bressers wrote:

>> # [Sec] Only use forum id supplied for posting if global announcement
>> detected. (Reported by nickvergessen)
>>
>
> I don't understand what this means. Do you have more information?

I don't know what it means either.  Another part of daily life in CVE. 
However, the announcement comes from the vendor so we will ultimately call 
it an unspecified vuln with unknown impact and attack vectors related to 
"forum id" and "global announcement" or some equally useless description.

So this could use a CVE, too.  At worst it's a signal to consumers that 
they need to patch, even if the developer isn't clearly explaining why.

Not much different than your typical Linux kernel bug, actually :-/

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.