[Secure-testing-team] [Secure-testing-commits] r14905 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Jul 5 17:37:50 UTC 2010
Hi,
* Michael Gilbert <gilbert-guest at alioth.debian.org> [2010-06-25 09:49]:
[...]
> @@ -20840,7 +20926,8 @@
> CVE-2009-0375 (Buffer overflow in a DLL file in RealNetworks RealPlayer 10, ...)
> NOT-FOR-US: RealPlayer
> CVE-2009-0374 (** DISPUTED ** ...)
> - - chromium-browser (unimportant)
> + - chromium-browser <unfixed> (low)
> + - webkit <not-affected> (poc doesn't work)
Every serious security researcher/enthusiast should question himself if a note
such as "poc doesn't work" is acceptable. Imho it's not, it's a PoC, nothing
more. If a PoC doesn't work that doesn't mean there is no vulnerability. Such
notes are also not acceptable for the security tracker. If it can't work
because of something else or there is more reasoning behind that, please note
it and be verbose.
Cheers
Nico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100705/bb148e00/attachment.pgp>
More information about the Secure-testing-team
mailing list