Date: Thu, 23 Feb 2012 13:10:40 -0500 (EST) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: oss-security@...ts.openwall.com cc: muuratsalo experimental hack lab <muuratsalo@...il.com>, Ulli Horlacher <framstag@....uni-stuttgart.de> Subject: Re: Vulnerabilitites in Debian F*EX <= 20100208 and F*EX 20111129-2. Nico Golde said: >>>> Can someone please assign a CVE id to this? Given that all of >>>> the vulnerable input parameters are in the fup component, I >>>> guess one id should be sufficient. We actually need two CVEs here. Which components the vulnerabilities are in, is rarely relevant for deciding how many CVEs to assign. Much more critical is which versions are affected. The original researcher provided two advisories for 2 different versions. So even though "fup" is affected, we mould need to SPLIT if there are some items/vectors/issues that affect different versions than others (hint: we will SPLIT.) Kurt said: > Please use CVE-2012-0869 for this issue. Here are the breakdowns for the two advisories/versions: F*EX <= 20100208 fup / from parameter fup / to parameter fup / id parameter F*EX 20111129-2 fup / id parameter So, based on the original report, we have: 20100208 only: fup / from fup / to 20100208 *and* 20111129-2 fup / id So, we MERGE the "fup" and "from" vectors since they affect the same version, and we SPLIT these from the "id" vector. (For the incredibly detail-oriented: whether the parameters come via GET or POST methods is irrelevant for CVE.) Now, the question is which issue we link with CVE-2012-0869. Since Debian bug 660621 focuses on the id parameter, and that paremeter affects both listed versions, I guess it makes sense to focus CVE-2012-0869 on the id parameter. I've assigned CVE-2012-1293 for the "from" and "to" parameters that are only listed for 20100208. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ