Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.64.1012091018490.6544@faron.mitre.org>
Date: Thu, 9 Dec 2010 10:20:57 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: NULL byte poisoning fix in php 5.3.4+


On Thu, 9 Dec 2010, Pierre Joye wrote:

> We fixed it for all file functions. See the link to the commit for
> more details about which codes have been changed. Do we need a CVE for
> every function? I hope not :)

Not really - if all functions were fixed in the same version, then that's 
not "textbook" CVE but close enough.

The main drivers for my question were (a) were there any other issues that 
remain unfixed, and (b) in general we try to have the year portion of CVE 
IDs align with publication (except for year-crossing time frames like 
Dec/Jan).  In this case it might have been more reasonable to assign a 
1999 CVE, but the 2006 assignment isn't horrible either...

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.