Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)
From: Greg Knaddison <greg.knaddison () acquia com>
Date: Wed, 11 Apr 2012 21:07:17 -0600

On Wed, Apr 11, 2012 at 8:10 PM, Kurt Seifried <kseifried () redhat com> wrote:

Direct links to the code commits fixing them would be nice =)

We probably can't do this, though it is a fairly common request.
Our current policy is not to discuss the specific details for at
least 2 weeks and closer to 6 months if possible. Project usage
shows that most site builders don't upgrade very quickly.

Hrmm yeah that's a tough one. Do you do any regression testing to make
sure the new modules don't break things (if people know stuff is
unlikely to break they are more likely to upgrade quickly, usually any

As a project there is an automated testing framework integrated into the
code hosted on drupal.org and a network of servers to run tests pretty
quickly, but very few of the contributed modules take advantage of it
(there are 16,000 of them after all). I don't think we've gone beyond
anecdotes for why people don't upgrade rapidly but it's definitely
something we're constantly working to improve the speed of the upgrade

Perfect! I was just thinking, as long as the main project
contributors/etc. (e.g. you guys in the case of Drupal) do the CVE
requests in a regular and public way (e.g. to OSS-sec) than there is
minimal chance of duplicates and other problems (e.g. someone else
sending a request to Mitre directly or whatever).


Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]