Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 3 Mar 2010 18:45:46 -0700
From: Vincent Danen <vdanen@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010
 CVE names?

* [2010-03-03 13:01:18 -0500] Steven M. Christey wrote:

>On Tue, 2 Mar 2010, Vincent Danen wrote:
>
>>* [2010-03-02 13:05:28 -0500] nobody@...hat.com via RT wrote:
>>
>>Hi, Steve.  I'm confused about these three CVEs, particularly since
>>CVE-2009-3297 was assigned to this issue (I suppose it would be more
>>correct to have 3 CVEs for the issue, but I'm not sure then why
>>CVE-2009-3297 was completely ignored unless you intend for it to be not
>>used/duplicated to one of these?).
>
>Sorry about not informing oss-security when I did this; I meant to.
>
>CVE-2009-3297 has been rejected since it was used heavily for 
>multiple issues that should have been assigned separate entries.  
>People weren't just using CVE-2009-3297 for Samba, they were using it 
>for fuse and others.

Ok, fair enough.  I thought that might have been the reason, but I was
unsure why we would drop CVE-2009-3297 altogether, but it makes sense.

>This rejection has since been uploaded to the CVE site:
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297
>
>Along with the three new CVEs:
>
>CVE-2010-0787 (Samba)
>CVE-2010-0788 (ncpfs)
>CVE-2010-0789 (FUSE)
>
>I try very hard to avoid doing this kind of split (and REJECT) except 
>when it seems like there will be a lot of confusion; I know how much 
>work it is to clean these up in advisories and so on.  I recognize 
>that many people have used CVE-2009-3297 for the Samba problem, but 
>it's been used in DEBIAN:DSA-1989 for FUSE and FEDORA-2010-1145 for 
>ncpfs, for example.  An administrator who thinks that "CVE-2009-3297 
>is fixed" might have solved the ncp issue but still be vulnerable to 
>the Samba issue.

I agree.  Fair enough.

>I had originally asked oss-security for clarification on this, 
>without an answer:
>
>http://www.openwall.com/lists/oss-security/2010/02/04/7
>
>(recognizing that I'm the most guilty party for not answering...) but 
>other situations forced me to clear this out.

Fair enough.  We probably should have replied to that as well.  =)

>>I'm also confused on using a 2010-based name since our bugzilla entry is
>>dated 2009-11-04, and Samba upstream has their reported dated
>>2009-10-28, so these should have received 2009-based names.
>
>I agree - this was an error on my part, so I apologize for the confusion.

Ok, no worries.  Certainly wouldn't want you to reject the 2010 names
for 2009 ones now.  =)

Thanks for the clarification.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.