On Tue, May 21, 2019 at 10:39:03PM +0200, Moritz Mühlenhoff wrote:
> > Yes. Our plan is to bring out a fix and then get in touch and have 4 of the
> > 5
> > CVEs rejected. Unfortunately, the fix is far more complicated than we had
> > hoped for. But we have a pull request now, so this is getting c
; a bit confusing.
>
> On Mon, May 20, 2019 at 11:03:46PM +0200, Moritz Mühlenhoff wrote:
> > On Sat, May 11, 2019 at 06:45:13AM +0200, Christian Folini wrote:
> >
> > Hi Christian,
> >
> > Thanks for chiming in, much appreciated! But I need some further
> > cl
Hello Moritz,
Thank you for your feedback.
On Mon, May 20, 2019 at 11:03:46PM +0200, Moritz Mühlenhoff wrote:
> Thanks for chiming in, much appreciated! But I need some further
> clarification.
Sure.
> CVEs are not assigned for regular expressions by itself.
The CVEs are assigned based on the
lve them without changing the behavior of the WAF
that could introduce other security problems for our users. And that is
very tricky.
Hope this brings some clarity and you can reduce the severity of the bug until
we can deliver a solution.
Cheers,
Christian Folini, CRS Co-Lead
4 matches
Mail list logo
