Date: Tue, 17 Jan 2012 13:16:38 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com CC: Kurt Seifried <kseifried@...hat.com>, Agostino Sarubbo <ago@...too.org> Subject: Re: CVE request: Wireshark multiple vulnerabilities On 01/16/2012 01:19 AM, Kurt Seifried wrote: > > I agree in principle, however in practice this is a lot of work (as you > well know =). I guess my question/concern would be is who does the > research to verify all this, and what if it varies by version (i.e. it > is 6 separate issues in an older version but the newer version combined > some code into a common library for example so it's only a single issue, > but with multiple avenues of attack/etc.). In other words a lot of > potential work. I did some research, with details available at: https://bugzilla.redhat.com/show_bug.cgi?id=773726#c2 and https://bugzilla.redhat.com/show_bug.cgi?id=773726#c3 In my opinion only 1 and 2 (ie ws bug 6663 and ws bug 6670) should be allocated a CVE. Others are application crashes. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ