oss-sec mailing list archives
Re: MySQL 0-day - does it need a CVE?
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 09 Feb 2012 14:23:32 -0700
On 02/09/2012 01:46 PM, Yves-Alexis Perez wrote:
On ven., 2012-02-10 at 00:36 +0400, Solar Designer wrote:That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.Note that the initial immunity mail doesn't say anything about the vulnerability itself, so it might just be a DoS.I wish we had more info.Yeah, me too…
There's nowhere near enough information available to validate that the new(?) issue reported by ImmunitySec matches up to CVE-2012-0492. Hopefully ImmunitySec/Oracle can comment on this and clear it up for users/vendors. Unfortunately CVE only works as well as the vendors using it decide it will. A biased example: Red Hat provides links to security reports with details, bugzilla entries, code commit information, and so on. Vendors that fail or refuse to provide details/code commits for their Open Source projects and so on make things extremely difficult for users and other vendors. =( An example of this is the following blog entry: http://blog.montyprogram.com/oracles-27-mysql-security-fixes-and-mariadb/ I'm not trying to pick on Oracle but this is topical and a perfect example of the problem(s) CVE was meant to address but can't if vendors don't participate in the process appropriately. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- MySQL 0-day - does it need a CVE? Kurt Seifried (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Henri Salo (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Henri Salo (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Solar Designer (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Yves-Alexis Perez (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Kurt Seifried (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Yves-Alexis Perez (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Solar Designer (Feb 09)
- Re: MySQL 0-day - does it need a CVE? Henri Salo (Feb 10)
- Re: MySQL 0-day - does it need a CVE? Solar Designer (Feb 11)
- Re: MySQL 0-day - does it need a CVE? Kurt Seifried (Feb 24)
- Re: MySQL 0-day - does it need a CVE? Larry Stefonic (Feb 24)