oss-sec: Re: Bugzilla 3.7.1 CVE request

oss-sec mailing list archives

Re: Bugzilla 3.7.1 CVE request

From: Moritz Muehlenhoff <jmm () debian org>
Date: Thu, 8 Jul 2010 22:44:14 +0200

Reed Loden wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 6 Jul 2010 00:51:40 -0600
Kurt Seifried <kurt () seifried org> wrote:

CVE # for this please.

http://www.bugzilla.org/security/3.7.1/


This security issue only affects the 3.7 and 3.7.1 development
"snapshots" (basically, alpha/beta quality). It's highly unlikely that
any distro would be tracking this unstable version/branch, so is a CVE
really required? If so, Mozilla can assign one from its pool.

I usually deal with getting CVEs assigned for Bugzilla issues, and I
just didn't think this one required one... However, maybe I was
mistaken in that.


I don't think that development snapshots needs a CVE ID, but there's 
at least one more Bugzilla vulnerability fixed in a release which hasn't 
been assigned a CVE ID so far:

http://www.bugzilla.org/security/3.2.3/
https://bugzilla.mozilla.org/show_bug.cgi?id=495257

Cheers,
        Moritz

By Date By Thread

Current thread:

Bugzilla 3.7.1 CVE request Kurt Seifried (Jul 06)
- Re: Bugzilla 3.7.1 CVE request Reed Loden (Jul 07)
  - Re: Bugzilla 3.7.1 CVE request Moritz Muehlenhoff (Jul 08)