oss-sec mailing list archives
Re: CVE for crypto_get_random() from libsrtp
From: Jeremy Stanley <jeremy () openstack org>
Date: Tue, 11 Aug 2015 13:10:41 +0000
On 2015-08-11 14:58:10 +0200 (+0200), Adam Maris wrote:
On 11/08/15 13:48, Jeremy Stanley wrote:On 2015-08-11 09:51:50 +0200 (+0200), Adam Maris wrote: [...]Unless CVE is assigned, we don't plan to ship any patch at the moment.
[...]
if a CVE is assigned for a bug you consider to have minimal impact, do you release a patch for it anyway just because there's a CVE?
[...]
If a CVE is assigned for this issue, we will create an entry in our CVE database but the end result will likely be the same, wontfix.
That makes more sense. I read your initial "Unless CVE is assigned" comment to mean that you were going to base your decision on whether to distribute a fix on MITRE's classification process rather than on your own due diligence. Thanks for clarifying! -- Jeremy Stanley
Current thread:
- CVE for crypto_get_random() from libsrtp Adam Maris (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Scott Arciszewski (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 01)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 20)