Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 03 Mar 2013 12:50:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Michael Tokarev <mjt@....msk.ru>,
        Piotr Karbowski <piotr.karbowski@...il.com>
Subject: Re: CVE id request: busybox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/03/2013 08:01 AM, Michael Tokarev wrote:
> 03.03.2013 18:33, Piotr Karbowski wrote:
>> On 03/03/2013 11:19 AM, Michael Tokarev wrote:
>>> What it has to do with Debian, besides that debian was first to
>>> actually submit this bug into its own bug tracker?
>> 
>> Acctualy not the first, the bug was reported to busybox
>> mailinglist on 18 Dec 2012.
> 
> That's where I noticed it and submitted a bugreport to Debian BTS
> from there.
> 
> Note that I didn't want to request a CVE# for that, and used a 
> somewhat low severify value for the report in the Debian BTS (which
> was quite some time after the initial report).
> 
> If I thought it deserves a CVE, I'd request one right after seeing
> the discussion in question :)
> 
> But I guess we're muddling waters for too much already.  I merely
> commented on the joke about Debian, -- the issue is definitely not
> debian-specific, Debian does not even use mdev from busybox (but
> allows to use it to the users).
> 
> Thanks,
> 
> /mjt
> 

This actually raises a good point, due to Debian being a secondary
source in most cases (e.g. upstream has a bug report which is then
copied into Debian's bug tracker since Debian ships it) the dates and
sometimes information is wrong. I will no longer be issuing CVE's for
issues brought up through the Debian bugtracker without an original
source to back it up, otherwise more mistakes will happen which is not
good.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRM6mHAAoJEBYNRVNeJnmTM8cQAJZqQPpzsLaicBfyFwsnZ6gK
8IOdtaqDZdE6oYoV10QgvQa018ASXjED+blG8lvZptF2wVuXjVi3+C5uGY8J6UH7
REGCRShlplJ9798XzGxmFVcSezkOGQmZUvV8QSQRZHIqNfPuwSMsM6uwnXRlfDF3
VACwecuo76dSZ1+q3E2DUz9WcUYEnvRMoFwsJiTe/+uxCfcH4xMFYI9raofHAYRf
FC3q34Elc+AXxzxF1MC1WE9HjrwmUYNx2bxhcuuGhzyv3TQztgrxO+8RCd9xXcc2
6Gt5ErQHY16LQ7DTv0I/1OpXEb5DgFrP6wDBb0RbONiZcm/k5QYgxpV+fInZylDT
oBzNeUopyC0y7ZLVQDx++iKAeD7Dt+qhCPNtiHAPGvyj9cyIm+Kkt2t5KsQtOfkF
vy35FGM3aXs6ZPaqtbQZ3CxUX8Bg0rBLjV9sF79yUyx+5ybg9U7NbnxEp27kKlZN
OTXmwvwsQ3uCf3uv7/9uNCVD4Q95K+gfZAZtH9zgVFjwzbzAsVu6yNNQvz9/ShzM
TjcGb77wW/IrGwFi7tslRlNARzSVWGBMbl8wsdum3Xctus4ZfYM6JSKhD9KlmM5L
MxV596WPUb3mlqh2AhEOA2XBzv19jMejcH+EL7UnJONC+bf8FV32msmxtyRDVl97
V0DINRevLl/L+OxxMifm
=lwSO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.