Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150130001410.GA10438@openwall.com>
Date: Fri, 30 Jan 2015 03:14:10 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Fri, Jan 30, 2015 at 01:00:35AM +0100, Hanno B??ck wrote:
> At some point I stopped caring too much about CVEs

FWIW, I never cared about them much.  But I do care about the confusion
and its possible negative impact:

> because I felt waiting for them stops me from reporting more issues.

Huh?!  IMO, no one should ever wait for a CVE before reporting an issue!

If it is possible to get a CVE assigned during an embargo period that
would exist anyway, and without disclosing the vulnerability detail to
any extra party, great!  (e.g. this happens for issues handled via the
distros list, where CVEs are currently getting assigned from Red Hat's
pool without having to inform any extra party.)  If this is not
possible, then do without CVE (and one may be assigned when the issue is
already public in here).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.