svn commit: r321045 - head/security/tor-devel
b.f.
bf1783 at googlemail.com
Sun Jun 16 18:17:20 UTC 2013
On 6/16/13, Eitan Adler <eadler at freebsd.org> wrote:
> On Sun, Jun 16, 2013 at 4:06 PM, b.f. <bf1783 at googlemail.com> wrote:
>> In this case no CVEs were issued
>
> This is odd.
Not very, when you consider that this is development code, and not a
stable release. It would be absurd to think that every developer goes
running to a CNA every time they find any problem in their repository.
The CVEs represent only the tip of the iceberg when it comes to
security problems: serious problems in common, released software that
have been disclosed through certain channels to Mitre, CERT, or one of
the other CNAs, and are approved for inclusion in the database. Not
every bug is found, fewer still are disclosed, and even fewer are
reported to a CNA and given a CVE-ID.
The Tor developers are very conscientious when it comes to reporting
bugs, even ones that are unlikely to be exploited. They often fix and
report problems that would go undetected or undisclosed in other
projects. But only some of the most serious bugs are reported by the
project or by others to a CNA.
b.
More information about the svn-ports-head
mailing list