oss-sec mailing list archives
Re: CVE Request - PloneFormGen, multiple vulnerabilities
From: Matthew Wilkes <matthew () matthewwilkes co uk>
Date: Thu, 25 Jul 2013 10:14:12 +0100
But I also want to make sure CVE's get assigned correctly. So three main problems arise
Kurt, I get it. Really. I'll make sure code commits are included in future. I don't think anyone's being deliberately obstructive here, I know I certainly try my best to give you clear, short descriptions so that you don't have to waste time going through others' code if you don't need to. I'm not trying to make your job harder, I'm trying to help.
Having QUICK access to the source code vulns/corrections makes all the above much much easier.
Sure, I'll make sure you have it it future. From my point of view, however, a lot of these things are caused by subtle interactions of various mistakes that would be harmless on their own. That makes it harder to provide useful source code as it could easily look correct. For example, the Zope application server uses the presence of documentation as an in-band marker of if something is public or private; just sending you a link to the removal of docs would be pretty confusing.
You're not asking for CVE's in a vacuum. CVE's are widely used by literally millions of people and organizations, we need to make sure they are done right or we will cause an obscene amount of time and money to be wasted.
The reason I write descriptions and include my estimates of CWE identifiers and CVSS scores is precisely because I know lots of people read these lists, and it matters to me to reduce the amount of work they have to go through. I'd be surprised to learn that more people care about the commits themselves rather than the information in an easy to consume format.
CVE assignment to follow tomorrow because it's 3am here.
Thank you, it's appreciated. Matt
Current thread:
- CVE Request - PloneFormGen, multiple vulnerabilities Matthew Wilkes (Jul 04)
- Re: CVE Request - PloneFormGen, multiple vulnerabilities Matthew Wilkes (Jul 10)
- Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities Kurt Seifried (Jul 10)
- Re: CVE Request - PloneFormGen, multiple vulnerabilities Kurt Seifried (Jul 16)
- <Possible follow-ups>
- Re: CVE Request - PloneFormGen, multiple vulnerabilities Matthew Wilkes (Jul 19)
- Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities Kurt Seifried (Jul 25)
- Re: CVE Request - PloneFormGen, multiple vulnerabilities Matthew Wilkes (Jul 25)
- Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities Kurt Seifried (Jul 25)
- Re: CVE Request - PloneFormGen, multiple vulnerabilities Matthew Wilkes (Jul 10)