Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <160917472.5434172.1351857344147.JavaMail.root@redhat.com>
Date: Fri, 2 Nov 2012 07:55:44 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Kurt Seifried <kseifried@...hat.com>
Subject: Re: Strange CVE situation (at least one ID should
 come of this)

> 
> That's not the same as a generic "don't use this."  For this
> CVE-2012-2400, there is a specific advisory from a specific vendor
> telling customers to patch a vulnerability.  It's "unspecified" all over
> the place due to lack of details, so risk analysis is problematic, but
> it's a statement of some kind of vulnerability in a specific version by an
> authoritative source.
> 
> Oracle and HP publish advisories like this on a regular basis.
> 

This isn't meant to be a troll, it's a legitimate question.

So if someone publishes an advisory stating "I have found a number of
security flaws in product X." Would that get the same sort of CVE ID?

I of course don't approve of such advisories, my curiosity is academic.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.