oss-sec mailing list archives
Re: Dealing with CVEs that apply to unspecified package versions
From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 15 Mar 2017 12:27:47 -0700
On Wed, Mar 15, 2017 at 06:12:52PM +0100, Ludovic Courtès wrote:
I can think of two actions that could perhaps be taken: 1. The software behind the CVE form could force submitters to specify version numbers.
"No fix is currently available" would be difficult to accurately describe. Sometimes the software is abaondware, and no fix will ever be available. Sometimes the software is a hobby and only fun features get implemented but difficult fixes do not. Sometimes the fix will be in the next release.
2. For recent entries (say, 2 years old at most), a bot could email the original submitters kindly asking them to provide the missing version info.
I know some submitters who would probably have to invest in new /dev/null procmail entries if we mailed them once for every CVE they've been issued. :) I suspect the solution is for people who rely upon these scanning tools to do the leg work themselves on the packages they care about. (i.e., the packages that annoy them the most.) Thanks
Attachment:
signature.asc
Description:
Current thread:
- Dealing with CVEs that apply to unspecified package versions Ludovic Courtès (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Simon McVittie (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Seth Arnold (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Leo Famulari (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Kurt Seifried (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
- Re: Dealing with CVEs that apply to unspecified package versions Leo Famulari (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 18)