mailing list archives
Re: MySQL 0-day - does it need a CVE?
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 09 Feb 2012 14:23:32 -0700
On 02/09/2012 01:46 PM, Yves-Alexis Perez wrote:
On ven., 2012-02-10 at 00:36 +0400, Solar Designer wrote:
That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.
Note that the initial immunity mail doesn't say anything about the
vulnerability itself, so it might just be a DoS.
I wish we had more info.
Yeah, me too…
There's nowhere near enough information available to validate that the
new(?) issue reported by ImmunitySec matches up to CVE-2012-0492.
Hopefully ImmunitySec/Oracle can comment on this and clear it up for
Unfortunately CVE only works as well as the vendors using it decide it
will. A biased example: Red Hat provides links to security reports with
details, bugzilla entries, code commit information, and so on. Vendors
that fail or refuse to provide details/code commits for their Open
Source projects and so on make things extremely difficult for users and
other vendors. =( An example of this is the following blog entry:
I'm not trying to pick on Oracle but this is topical and a perfect
example of the problem(s) CVE was meant to address but can't if vendors
don't participate in the process appropriately.
Kurt Seifried Red Hat Security Response Team (SRT)
Re: MySQL 0-day - does it need a CVE? Tomas Hoger (Feb 24)