Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Sep 2011 14:19:44 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Gerald Combs <gerald@...eshark.org>, cve-assign@...re.org
Subject: Re: CVE Request: Multiple issues fixed in wireshark
 1.6.2

----- Original Message -----

> 2. Wireshark Lua script execution vulnerability
> http://www.wireshark.org/security/wnpa-sec-2011-15.html
> https://bugzilla.redhat.com/show_bug.cgi?id=737784

Use CVE-2011-3360 for the above.


Are the below worth assigning CVE ids to? The advisory seems to suggest
they are crash only fixes. Do those deserve CVE IDs? I know we've been
fairly generous with wireshark in the past, but I'm wondering if we need to
draw a line somewhere.

> 
> 1, Wireshark CSN.1 dissector vulnerability
> http://www.wireshark.org/security/wnpa-sec-2011-16.html
> https://bugzilla.redhat.com/show_bug.cgi?id=737783
> 
> 3. Wireshark buffer exception handling vulnerability
> http://www.wireshark.org/security/wnpa-sec-2011-14.html
> https://bugzilla.redhat.com/show_bug.cgi?id=737785
> 
> 4. Wireshark OpenSafety dissector vulnerability
> http://www.wireshark.org/security/wnpa-sec-2011-12.html
> https://bugzilla.redhat.com/show_bug.cgi?id=737787
> 

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.