Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Feb 2012 13:10:40 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
cc: muuratsalo experimental hack lab <muuratsalo@...il.com>,
        Ulli Horlacher <framstag@....uni-stuttgart.de>
Subject: Re: Vulnerabilitites in Debian F*EX <= 20100208 and
 F*EX 20111129-2.


Nico Golde said:

>>>> Can someone please assign a CVE id to this? Given that all of
>>>> the vulnerable input parameters are in the fup component, I
>>>> guess one id should be sufficient.

We actually need two CVEs here.

Which components the vulnerabilities are in, is rarely relevant for 
deciding how many CVEs to assign.  Much more critical is which versions 
are affected.  The original researcher provided two advisories for 2 
different versions.  So even though "fup" is affected, we mould need to 
SPLIT if there are some items/vectors/issues that affect different 
versions than others (hint: we will SPLIT.)

Kurt said:

> Please use CVE-2012-0869 for this issue.

Here are the breakdowns for the two advisories/versions:

F*EX <= 20100208
   fup / from parameter
   fup / to parameter
   fup / id parameter

F*EX 20111129-2
   fup / id parameter


So, based on the original report, we have:

   20100208 only:
     fup / from
     fup / to

   20100208 *and* 20111129-2
     fup / id

So, we MERGE the "fup" and "from" vectors since they affect the same 
version, and we SPLIT these from the "id" vector. (For the incredibly 
detail-oriented: whether the parameters come via GET or POST methods is 
irrelevant for CVE.)

Now, the question is which issue we link with CVE-2012-0869.  Since Debian 
bug 660621 focuses on the id parameter, and that paremeter affects both 
listed versions, I guess it makes sense to focus CVE-2012-0869 on the id 
parameter.

I've assigned CVE-2012-1293 for the "from" and "to" parameters that are 
only listed for 20100208.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.