Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Dec 2013 21:36:43 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE REJECTS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/22/2013 03:42 AM, Solar Designer wrote:
> Kurt, all -
> 
> On Wed, Dec 18, 2013 at 11:29:23PM -0700, Kurt Seifried wrote:
>> CVE-2013-4403 - turns out CVE-2013-4404 covered the issue, no
>> need for 4403.
>> 
>> CVE-2013-4418 - turns out to be security hardening, not a
>> security flaw, just like CVE-2013-4417
> 
> While I greatly appreciate your work on CVE assignments, I'd
> appreciate it if you and others include at least project names and
> preferably also vulnerability types and/or brief descriptions along
> with CVE IDs in postings such as the above.  That would make them a
> lot more useful to

Uhmm but they aren't security issues, they are mistakes (usually
either duplicate or issues that turn out not to be a security
vulnerability). As well some of these issues (in this case both I
think) are still under embargo/not public so I can't always release
details when they are being publicly rejected.

> those of us who are not focused on CVE as much, but may
> nevertheless be interested in findings about the actual security
> issues.  We're unlikely to go and look up each CVE ID mentioned
> without detail just in case it's relevant to our projects.

This part I don't really understand. If you want to see what security
related bugs Red Hat products have you can simply search our BZ for
products and use look for the  keyword "Security". Not clear what
looking up CVE's that have been rejected due to errors/etc. has to do
with this?

> Thanks,
> 
> Alexander
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSt73aAAoJEBYNRVNeJnmT0zsQAJ5iTVxZi1Q7WlqdfSA8QbFd
Zgwypvy6eRhA+ElCcqmPc0SuA7ywFyiAuFkLMRe+gOz4T3t4hp2riv3cH/Bg2kAV
UoNjgnzDfkV1VrAGvvchIBpao4dr6QZRx5ldTLkupeJmmXpx/lpHVerKBX30OgHh
tPZyXM8Xw+TKZxlXMc3W35PgLsWmIw/Mb3IFEfVD15WS49eA2cWO/Kjdf5zTJ0je
qDyKyvp5n6QCdBp0Qu4Gr9WFXH4jpqE3xtRxVMEpJBUtO6W1fWYQ9jGQ9tYfwRZi
MXzz9MaN74VJqY7+KAXYk0pnEKp47nyPcawIp50L5OcrjiVRVP1OZCXMwop+4QmG
LKALlnexFTk3FJ7RQPI7WxN9WAoPu2S94pkhX+zWKYetX4X2Go/nQd35HlYPYxLH
3WO0+IkkVNb9RM4K66O7zRqh44XTxiYz2ygPOkcYAtGATjomeFsxYbyWb6YH4Z04
0mt3GfmoQiHkFwWX+c5vdJpW64q9Ozdc25Od2jXjjXfAkh24XgCAeF/ys6cMCKDA
Hvcs5chmV98wYbSvMG5dm7vzo4koCrcHh8lXZYZGEodwZsTws+2RrNZxWEdjTjgc
BGgOVwCq0SZB587uzNp2uktcyQuQuqwb5gLP7rk8QN/Ndv7xkrjMPw1nXFlOXqBx
Ec7b0lALoSMKevnOWmQT
=meBi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.