Mention the CVE id in "Ruby 1.9.2-p330 Released" #817
Comments
|
Could you please email security@ for these kinds of reports, please? Thank you! <3 |
|
@zzak you appear to be the original author of the blog post, but simply forgot to mention the CVE id.
|
|
Emailed |
|
Um? IMO there's no need to send email on security@... if CVE id already exists. @zzak This is not existing news post's problem so we can handle this here. |
|
@postmodern what was the CVE id? can you submit a patch? ;) |
|
@zzak no one seems to know the CVE id, or if one was even requested. |
|
What's also weird is the |
|
@postmodern I dont think a CVE was ever assigned, as this was considered a bugfix. Sorry for the confusion. |
"Critical security regression" doesn't exactly sound like a bugfix. Could you please have security@ request a CVE from MITRE? |
|
Use CVE-2014-6438 |
|
@tarcieri I can't find any information for CVE-2014-6438? If I can get a confirmed CVE, I'll make a PR to fix the news post. |
|
I just got it assigned about an hour ago at @zzak's request (via oss-security) |
|
and fixed in Pull Request #1138. |
|
In the updated announcement it's mentioned:
However, that bug report is private. Unless there's confidential information in the report, can you make it public, please? Thanks! |
There is no mention of the CVE id in Ruby 1.9.2-p330 Released.
The text was updated successfully, but these errors were encountered: