Re: DSA 438 - bad server time, bad kernel version or information delayed?
Jean Christophe ANDRÉ wrote:
> I can see on http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
> that this is still a candidate, but assigned since 2004.01.19, so this is
> probably ok...
Candidate name assignment can occur in blocks. It's not necessary that
a name is associated with a particular vulnerability on the day it was
assigned. Therefore, the assignment date is not a reliable indicator
for the date the vulnerability was discovered or disclosed to vendors.
> But, it would be better if this "for security reasons" delay had been
> made clear into the announcement, IMHO.
Yes, disclosure timelines are interesting, sometimes downright shocking
(look at a few timelines from iDefense).
Reply to: