Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 7 Feb 2013 14:33:33 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>Can you assign one more for matrixssl?

>http://www.matrixssl.org/news.html

The short answer is that you should map that MatrixSSL changelog
to CVE-2013-0169.

Here's how MITRE is currently looking at the set of issues:

CVE-2013-0169 is the identifier for the multi-vendor issue in the
TLS and DTLS protocols discussed in the
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf paper.

We anticipate that several more vendors will release changelogs,
with various levels of detail, mapping to that paper:

 -- If the changelog simply reports a new release to address that
    paper's issue, MITRE will consider that changelog to be a
    CVE-2013-0169 reference. A new CVE will not be created for that
    single vendor or a single product.

 -- If the vendor states that it uses a codebase corresponding to
    one of the other
    http://openwall.com/lists/oss-security/2013/02/05/24 CVEs (aka
    side issues), then the changelog will become a reference for
    that CVE.

 -- If the vendor makes any other statement about a vulnerability
    fix for a side issue, a new CVE will be created for the new side
    issue.

This approach should enable MITRE to provide reasonably consistent CVE
abstraction without detailed study of each vendor's code.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJRFADmAAoJEGvefgSNfHMdC1AH/A2Fr8fg2pZP49U513DBwQhp
7zdffXlwA/FF5dv2D7Pl3UJeGOgWtmott9kvrpIh1tKKnGFoNgqvQwAsaEL9/1rd
Smr1dJisFvy7qDjrZEM96EiOM/3+J90StXFE3cVn72KGGs03g/e3+sUI3D8dp7Z3
SxJTNLgiVCxDCld06f5CmMwinl2DUx/VkuNgbfHUg+NnNzhw3WmIj8NMT0Om+OxZ
0UDCbWZ3SgH3DrIH75l+W3wKma0KgyQD+M2voUuCqmlSENI1Hkc6LhSKjxVaHeo/
ALJ4bWrpYtAv5JpyWL5mEY6NXOVcc0nl3M4EDsI9CKqeR8gtb0rjyK/gLQ4lydE=
=LRzJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.