oss-sec mailing list archives
Re: Dealing with CVEs that apply to unspecified package versions
From: Simon McVittie <smcv () debian org>
Date: Wed, 15 Mar 2017 18:56:52 +0000
On Wed, 15 Mar 2017 at 18:12:52 +0100, Ludovic Courtès wrote:
1. The software behind the CVE form could force submitters to specify version numbers.
That isn't going to work. Not all of the software of interest to major OS distributions even *has* a version number :-( (I am not arguing that software *shouldn't* have releases with version numbers, only that sometimes it *doesn't*; this is a statement about reality, not about best-practice.) S
Current thread:
- Dealing with CVEs that apply to unspecified package versions Ludovic Courtès (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Simon McVittie (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Seth Arnold (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Leo Famulari (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Kurt Seifried (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
- Re: Dealing with CVEs that apply to unspecified package versions Leo Famulari (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 18)