Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: MySQL 0-day - does it need a CVE?
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 09 Feb 2012 14:23:32 -0700

On 02/09/2012 01:46 PM, Yves-Alexis Perez wrote:
On ven., 2012-02-10 at 00:36 +0400, Solar Designer wrote:
That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.


Note that the initial immunity mail doesn't say anything about the 
vulnerability itself, so it might just be a DoS.

I wish we had more info.

Yeah, me too…

There's nowhere near enough information available to validate that the
new(?) issue reported by ImmunitySec matches up to CVE-2012-0492.
Hopefully ImmunitySec/Oracle can comment on this and clear it up for
users/vendors.

Unfortunately CVE only works as well as the vendors using it decide it
will. A biased example: Red Hat provides links to security reports with
details, bugzilla entries, code commit information, and so on. Vendors
that fail or refuse to provide details/code commits for their Open
Source projects and so on make things extremely difficult for users and
other vendors. =( An example of this is the following blog entry:

http://blog.montyprogram.com/oracles-27-mysql-security-fixes-and-mariadb/

I'm not trying to pick on Oracle but this is topical and a perfect
example of the problem(s) CVE was meant to address but can't if vendors
don't participate in the process appropriately.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault