[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request - PloneFormGen, multiple vulnerabilities
From: Matthew Wilkes <matthew () matthewwilkes ! co ! uk>
Date: 2013-07-25 9:14:12
Message-ID: ksqq8t$s6m$1 () ger ! gmane ! org
[Download RAW message or body]
> But I also want to make sure CVE's get assigned correctly. So three
> main problems arise
Kurt, I get it. Really. I'll make sure code commits are included in
future. I don't think anyone's being deliberately obstructive here, I
know I certainly try my best to give you clear, short descriptions so
that you don't have to waste time going through others' code if you
don't need to. I'm not trying to make your job harder, I'm trying to help.
> Having QUICK access to the source code vulns/corrections makes all the
> above much much easier.
Sure, I'll make sure you have it it future. From my point of view,
however, a lot of these things are caused by subtle interactions of
various mistakes that would be harmless on their own. That makes it
harder to provide useful source code as it could easily look correct.
For example, the Zope application server uses the presence of
documentation as an in-band marker of if something is public or private;
just sending you a link to the removal of docs would be pretty confusing.
> You're not asking for CVE's in a vacuum. CVE's are widely used by
> literally millions of people and organizations, we need to make sure
> they are done right or we will cause an obscene amount of time and
> money to be wasted.
The reason I write descriptions and include my estimates of CWE
identifiers and CVSS scores is precisely because I know lots of people
read these lists, and it matters to me to reduce the amount of work they
have to go through. I'd be surprised to learn that more people care
about the commits themselves rather than the information in an easy to
consume format.
> CVE assignment to follow tomorrow because it's 3am here.
Thank you, it's appreciated.
Matt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic