oss-sec mailing list archives
Re: A bunch of duplicate CVEs requested for?? bho..
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Tue, 29 Aug 2017 11:44:53 -0500 (CDT)
On Tue, 29 Aug 2017, Agostino Sarubbo wrote:
Hi all. In the last time there are some people that run afl for fuzzing...that's just fine and great. Some people miss to communicate their findings to upstream and request a CVE from mitre. However I'm noticing that every day there are new duplicates, let me post some examples:
It is important to keep in mind that CVEs are issued against "products". There might be a CVE issued against a software version distributed by Red Hat or Debian which is not applicable to the upstream version. Since each distribution patches their version it is difficult to know the "product" that a particular CVE is applicable to.
I agree that in my personal experience upstream maintainers are rarely involved in the CVE process.
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Current thread:
- A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Bob Friesenhahn (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Kurt Seifried (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Henri S. (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. cve-request (Aug 29)
- Re: Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)