Hacker News new | ask | show | jobs
by lecha 1066 days ago
How many of you have received this notice via an official security advisory channel you're monitoring/acting on? If so, which advisory service do you use and how you configure it? Learning about HN is useful, but far from a reliable solution.
4 comments
swe_dima 1066 days ago
I am subsribed to their Github releases and when I saw a release for every old version I knew what's up :-)
link
rudasn 1066 days ago
Yeah I do the same for projects I use. I also received an email but don't remember if I also signed up to their newsletters or something like that.
link
Mandatum 1066 days ago
Saw it on HN.
link
not_your_vase 1066 days ago
It is definitely not announced on Full Disclosure nor on oss-security mailing lists.
link
worthless-trash 1066 days ago
Doesn't look like there is a CVE either: https://www.cvedetails.com/vulnerability-list/vendor_id-1947...
link
capableweb 1066 days ago
> Will you release any information about the vulnerability?

> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.

From their blog.

link
ungamedplayer 1066 days ago
Oh absolutely, but its trivial to get a CVE from the relevant CNA's. A webform or a phone call.

Its a bit silly.

link
capableweb 1065 days ago
Don't you have to share more details about the exploit then? That seems to be the thing they're trying to avoid for now.
link
worthless-trash 1063 days ago
Negative, you can request a CVE without specific details, CNA's do this all the time until unembargo.
link
xctr94 1066 days ago
I got an email directly from Metabase.
link