oss-sec mailing list archives

Re: Dealing with CVEs that apply to unspecified package versions

From: Simon McVittie <smcv () debian org>
Date: Wed, 15 Mar 2017 18:56:52 +0000

On Wed, 15 Mar 2017 at 18:12:52 +0100, Ludovic Courtès wrote:

  1. The software behind the CVE form could force submitters to specify
     version numbers.


That isn't going to work. Not all of the software of interest to major
OS distributions even *has* a version number :-(

(I am not arguing that software *shouldn't* have releases with version
numbers, only that sometimes it *doesn't*; this is a statement about
reality, not about best-practice.)

    S

Current thread:

Dealing with CVEs that apply to unspecified package versions Ludovic Courtès (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Simon McVittie (Mar 15)
- Re: Dealing with CVEs that apply to unspecified package versions Seth Arnold (Mar 15)
  - Re: Dealing with CVEs that apply to unspecified package versions Leo Famulari (Mar 15)
    - Re: Dealing with CVEs that apply to unspecified package versions Kurt Seifried (Mar 15)
    - Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
    - Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 16)
- Re: Dealing with CVEs that apply to unspecified package versions Brian May (Mar 18)
  - Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 18)