[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Oct 2008 16:18:36 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2008-4619 / milw0rm6775
On Wed, 29 Oct 2008, Tomas Hoger wrote:
> Looks like this is a dupe of CVE-2007-0165 after all...
>
> http://www.securityfocus.com/bid/21964/
> http://secunia.com/advisories/23700/
> http://secunia.com/advisories/32403/
Nothing against these sources but in general CVE wants a solid "logic
chain" between 2 descriptions before declaring a dupe. In this case
CVE-2007-0165 is anchored on a very vague description from Sun about
something in libnsl. CVE-2008-4619 is quite specific. Just because it's
the same rpcbind service is insufficient as we all know that the same
package can contain multiple security bugs.
The most solid connection here, though, is SUNALERT:102713 (which
CVE-2007-0165 is anchored on) has now been renamed to SUNALERT:200412,
which directly references CVE-2008-4619.
I'll send a quick-check email to Sun but these do appear to be dupes. So
then the question is which CVE to reject, and I'm not sure at this moment.
- Steve
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
