Re: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection

[Seth Arnold <seth.arnold () canonical com>]

On Wed, Sep 14, 2016 at 10:22:58AM -0600, Kurt Seifried wrote:
> Ideally people should get CVEs and then post to oss-security with the
> information and the CVE. A lot of people consume the list data and the
> current method means that people end up searching their DBs, making sure
> it's new, then entering it, then updating it with a CVE. If people got CVEs
> first this would vastly simplify things.

I don't like the idea of waiting on CVE assignment before posting
information here:

- MITRE's team does impressive work, but some assignments take
  significantly longer than others; a request here, publicly, allows users
  to mitigate or fix before a number is known.

- In cases when there are no fixes yet, or incomplete fixes, it may not be
  known how many CVEs are even needed -- making the issues widely known
  earlier increases the chances of someone preparing patches, to clarify
  how many issues existed.

- With MITRE's reduced scope of CVE coverage, there's the risk that
  software that's important to list members or the wider computing public
  may not get a number at all. Not getting a number assigned may give the
  impression that the issue isn't important.

Thanks

Attachment: signature.asc
Description: