Re: CVE-2022-21449 and version reporting

[Sven Schwedas <sven.schwedas () tao at>]

On 28.04.22 22:10, Seth Arnold wrote:
> On Thu, Apr 28, 2022 at 02:12:04PM +0000, Seaman, Chad wrote:
> > In what universe exactly are versions omitted from vulnerability
> > reporting because a vendor “no longer supports that version”… this
> > non-supported version is still vulnerable?
>
> A large part of software maintenance is managing technical debt --
> and being able to walk away from no-longer-supported products is an
> important part of that.
>
> Would you expect Microsoft to evaluate Windows 3.11, Windows 95,
> Windows 98, Windows ME, Windows NT 3.51, Windows NT 4.0. Windows XP,
> etc for every single vulnerability discovered in newest products?

You and Jeremy arguing in bad faith here, OP didn't ask about anything 
like that.

The problem at hand is, someone *already did all that work*, and Oracle 
is *actively intervening* to have it dropped from CVE reports.

So the question is: Why is vulnerability information that already exists 
being censored?

Attachment: OpenPGP_signature
Description: OpenPGP digital signature