Re: MySQL 0-day - does it need a CVE?

[Kurt Seifried <kseifried () redhat com>]

On 02/09/2012 01:46 PM, Yves-Alexis Perez wrote:
> On ven., 2012-02-10 at 00:36 +0400, Solar Designer wrote:
> > That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.
>
> Note that the initial immunity mail doesn't say anything about the 
> vulnerability itself, so it might just be a DoS.
>
> > I wish we had more info.
>
> Yeah, me too…

There's nowhere near enough information available to validate that the
new(?) issue reported by ImmunitySec matches up to CVE-2012-0492.
Hopefully ImmunitySec/Oracle can comment on this and clear it up for
users/vendors.

Unfortunately CVE only works as well as the vendors using it decide it
will. A biased example: Red Hat provides links to security reports with
details, bugzilla entries, code commit information, and so on. Vendors
that fail or refuse to provide details/code commits for their Open
Source projects and so on make things extremely difficult for users and
other vendors. =( An example of this is the following blog entry:

http://blog.montyprogram.com/oracles-27-mysql-security-fixes-and-mariadb/

I'm not trying to pick on Oracle but this is topical and a perfect
example of the problem(s) CVE was meant to address but can't if vendors
don't participate in the process appropriately.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)