oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection

From: Jeremy Stanley <fungi () yuggoth org>
Date: Wed, 14 Sep 2016 22:29:16 +0000
On 2016-09-14 10:22:58 -0600 (-0600), Kurt Seifried wrote:

Ideally people should get CVEs and then post to oss-security with the
information and the CVE. A lot of people consume the list data and the
current method means that people end up searching their DBs, making sure
it's new, then entering it, then updating it with a CVE. If people got CVEs
first this would vastly simplify things.


At least for some projects, if a vulnerability is already public or
becomes public prior to requesting a CVE privately from some CNA, it
makes more sense to go ahead and widely inform the community (via
this ML and elsewhere) and then associate a CVE with it afterward.
While having a unique identifier is important, I think rapid
dissemination of vulnerabilities so that downstream users can patch
their systems is more important.
-- 
Jeremy Stanley
Previous By Date Next
Previous By Thread Next

Current thread: