[Toybox] CVEs
enh
enh at google.com
Sat Feb 18 21:06:17 PST 2023
on your blog, you said:
"""
Wait... really? There's a toybox CVE for httpd? (Yeah I remember
fixing that bug, but was it really worth a Charged Vacuum Emboitment?)
"""
given that the original bug on github explicitly had the "found by
$FOO of $BAR" boilerplate that you tend to see from security
researchers who file these things for a living, i assume they also
filed the CVE so they can claim priority if anything ever does come of
this bug. (this is one reason why consumers of CVEs have their own
people to try to determine the relevance/severity _to them_.)
if you ever get a "real" CVE -- one that's "obviously" important --
they'll probably mail you directly rather than zero-day you via the
github issue tracker :-)
More information about the Toybox
mailing list