oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 30 Jan 2015 01:00:35 +0100
Hi all,

As promised, I wrote down my lengthy thoughts in a blog post:
https://blog.hboeck.de/archives/864-What-the-GHOST-tells-us-about-free-software-vulnerability-management.html

On Thu, 29 Jan 2015 09:50:01 -0700
Kurt Seifried <kseifried () redhat com> wrote:


This is why for example I've been trying to make CVE's easily
available so people are more likely to come to us with borderline
issues ("I'm not sure but this looks weird and may be security
related"). I'm also working on a set of examples for the CVE HOWTO so
again developers will hopefully be able to realize when things look
weird and may be a security issue and not just a flaw. I'm trying to
find ways to help educate people/make it easier for them to report
security issues but this is a non trivial problem.


Regarding CVEs - I made similar experiences as Michal. It's very
mixed, sometimes I get CVEs quickly, sometimes I don't get answers to
requests.

I would like the CVE process to be a better tool to organize this (as
I've written in my blog post), but right now I feel it's not working
reliably enough for that. At some point I stopped caring too much about
CVEs because I felt waiting for them stops me from reporting more
issues.


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: