[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Qualcom (and other) Android CVE IDs

On 06/06/2017 08:25 AM, Art Manion wrote:
> Good to see CVE used to identify vulnerabilities:
> https://source.android.com/security/bulletin/2017-06-01#qualcomm-closed-source-components
> but there's little or no information about any of these 
> vulnerabilities.  Lots of RESERVED.
> This touches on the use of CVE for "internal" finds.  There's value 
> in having a public label, but the lack of even summary information 
> (minimal CVE entry) is problematic.
>  - Art

Also the thread on oss-sec:


With some interesting notes like:


I don't know about apple itself but in the clusterfuzz reports I see 4
public bugs about sqlite. However they have a very small (2 days) range
of regression, i.e. a commit made in those two days causes the problem.
I didn't check, but I suspect they didn't go in any release.

FTR, the time you are seeing in the regression range is UTC:

At this point I don't know if apple referer to those issues or the
issues are not public.

Agostino Sarubbo

Basically these issues have CVE's but I (nor anyone else really) has any
clue what is actually affected and if we need to deal with it or not.
Kind of defeats the point :P.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: June 06, 2017