On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote: > On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote: > > > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote: > > > >> or possibly have unspecified other impact via unknown vectors. > > > > I'm just wondering ... is that Google language for "or possibly allow > > remote code execution" ? [...] > That is the intentionally vague language of CVE (e.g. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837). [...] > In terms of chromium, your best bet is simply to wait for the bugs to > become unembargoed (e.g. > https://code.google.com/p/chromium/issues/detail?id=235638).
Thanks. It's just that I tend to expect that by the time a security fix is released, those bugs *are* unembargoed, researchers are poring over code diffs, and clear descriptions are usually forthcoming cos there's no longer any point in being coy. For instance, by the time a Firefox release is made Mozilla states explicitly in the release information whether or not each bug could cause rce. Same thing for Microsoft. It occurred to me maybe - for whatever reason - Google Corp has devised its own vocabulary for these things; sort of like Oracle Corp never calling a spade a spade in these matters. Or the kernel team [ducks quickly] :) I understand the Mitre people's predicament about the analysis workload though .... [gulp]. Cheers, Nick -- Firefox 3.6? Dude we're on 8.0 now. You're like 3 weeks behind ! -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
