oss-sec mailing list archives

Re: CVE request: PHP MOPS-2010-56..60

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 24 Aug 2010 13:00:27 -0400 (EDT)


On Tue, 24 Aug 2010, Tomas Hoger wrote:

Standard practice is to use new CVE.  As all 5 phar MOPS were covered
under single CVE, and not all of them were fixed in 5.3.3, I'd expect a
new "incomplete fix" CVE.

That's appropriate in this case. I'll let Josh assign a CVE to avoid thepossibility of dupes.


General practice (subject to modification on a case-by-case basis) is:

- issue was never fixed and never claimed to be fixed: use original CVE
  (probably triggers an update to description for affected versions)

- issue was claimed fixed but the fix was incomplete: use new CVE

- issue was never fixed but claimed to be fixed: ??? (it's happened a few
  times)



- Steve

Current thread:

Re: CVE request: PHP MOPS-2010-56..60, (continued)
- - - Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 23)
- Re: CVE request: PHP MOPS-2010-56..60 pierre.php () gmail com (Aug 19)
  - Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 20)
    - Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
    - Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 20)
    - Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
    - Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
    - Re: CVE request: PHP MOPS-2010-56..60 Thomas Biege (Aug 24)
    - Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 24)
    - Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 24)
    - Re: CVE request: PHP MOPS-2010-56..60 Steven M. Christey (Aug 24)
    - Re: CVE request: PHP MOPS-2010-56..60 Josh Bressers (Aug 25)