[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Qualcom (and other) Android CVE IDs



On 06/06/2017 08:25 AM, Art Manion wrote:
> Good to see CVE used to identify vulnerabilities:
> 
>   
> https://source.android.com/security/bulletin/2017-06-01#qualcomm-closed-source-components
> 
> but there's little or no information about any of these 
> vulnerabilities.  Lots of RESERVED.
> 
> This touches on the use of CVE for "internal" finds.  There's value 
> in having a public label, but the lack of even summary information 
> (minimal CVE entry) is problematic.
> 
>  - Art

Also the thread on oss-sec:

http://seclists.org/oss-sec/2017/q2/378

With some interesting notes like:

http://seclists.org/oss-sec/2017/q2/380

=======
I don't know about apple itself but in the clusterfuzz reports I see 4
public bugs about sqlite. However they have a very small (2 days) range
of regression, i.e. a commit made in those two days causes the problem.
I didn't check, but I suspect they didn't go in any release.

FTR, the time you are seeing in the regression range is UTC:
https://github.com/google/oss-fuzz/issues/563

At this point I don't know if apple referer to those issues or the
mentioned
issues are not public.

-- 
Agostino Sarubbo
=======

Basically these issues have CVE's but I (nor anyone else really) has any
clue what is actually affected and if we need to deal with it or not.
Kind of defeats the point :P.



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com


Page Last Updated or Reviewed: June 06, 2017