On Fri, 25 Dec 2015, Nikola M wrote:
Also, information about CVEs that are not released yet does not requre to be
public before package maintainer fixes it.
That is what I think understand thus far, am I right?
This depends on who reports and manages it. To get advance notice of
CVEs then one must agree to the terms of whomever is proving the
advance notice. For a "zero-day" type exploit which can be expected
to exploited immediately (but are not publically known), it is common
for fixes to be intentionally held back so that they are released to
all operating systems on the same day.
Many/most CVS are assigned for issues which are already publically
known.
Many security issues are found and fixed without any formal security
report. For example, the application developer might find that
reading a particular file causes the application to core dump. So
they fix the bug and move on. If someone else had noticed the
problem, it may have been formally reported, with an assigned CVE id.
Bob
--
Bob Friesenhahn
[email protected], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
oi-dev mailing list
[email protected]
http://openindiana.org/mailman/listinfo/oi-dev
