Re: Podbeuter podcast fetcher: remote code execution

[Alexander Batischev <eual.jp () gmail com>]

Hi,

This has been assigned CVE-2017-14500: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500

On Sat, Sep 16, 2017 at 09:05:44PM +0200, Solar Designer wrote:
> "Instead, please start by posting about the (to be made) public issue 
> to oss-security (without a CVE ID), request a CVE ID from MITRE 
> directly, and finally "reply" to your own posting when you also have 
> the CVE ID to add."

I was under impression that having a CVE ID speeds up processes in 
distros, and fixes are released quicker. That's why for my previous (and 
first ever) vulnerability I first got an ID and only then released the 
details and the patch. The assignment took just a day.

Was my impression wrong? I just want to do things "right", so that 
attackers have as little time as possible to exploit users. (I do 
realize this all is best-effort and distros might still take time to 
release, and then users might take ages to upgrade.)

Now that I had an experience of waiting for three weeks, I'll also 
re-consider if I want to become a CNA for my project. Previously it 
seemed like a hassle; I'm not so sure now.

--
Regards,
Alexander Batischev

PGP key 356961A20C8BFD03
Fingerprint: CE6C 4307 9348 58E3 FD94  A00F 3569 61A2 0C8B FD03

Attachment: signature.asc
Description: