oss-sec mailing list archives
Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)
From: Greg Knaddison <greg.knaddison () acquia com>
Date: Wed, 11 Apr 2012 21:07:17 -0600
On Wed, Apr 11, 2012 at 8:10 PM, Kurt Seifried <kseifried () redhat com> wrote:
Direct links to the code commits fixing them would be nice =)We probably can't do this, though it is a fairly common request. Our current policy is not to discuss the specific details for at least 2 weeks and closer to 6 months if possible. Project usage shows that most site builders don't upgrade very quickly.Hrmm yeah that's a tough one. Do you do any regression testing to make sure the new modules don't break things (if people know stuff is unlikely to break they are more likely to upgrade quickly, usually any ways).
As a project there is an automated testing framework integrated into the code hosted on drupal.org and a network of servers to run tests pretty quickly, but very few of the contributed modules take advantage of it (there are 16,000 of them after all). I don't think we've gone beyond anecdotes for why people don't upgrade rapidly but it's definitely something we're constantly working to improve the speed of the upgrade cycle.
Perfect! I was just thinking, as long as the main project contributors/etc. (e.g. you guys in the case of Drupal) do the CVE requests in a regular and public way (e.g. to OSS-sec) than there is minimal chance of duplicates and other problems (e.g. someone else sending a request to Mitre directly or whatever).
Solid. -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
Current thread:
- CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Kurt Seifried (Apr 06)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Greg Knaddison (Apr 10)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Kurt Seifried (Apr 10)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Greg Knaddison (Apr 11)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Kurt Seifried (Apr 11)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Greg Knaddison (Apr 11)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Kurt Seifried (Apr 10)
- Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments) Greg Knaddison (Apr 10)