Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST) From: "Steven M. Christey" <coley@...re.org> To: oss-security@...ts.openwall.com Subject: Re: Duplicated CVE assignment for bip Moritz, These are two slightly different issues, although a casual reading of the descriptions does not make that sufficiently clear. The original CNA assignment of CVE-2013-4550 did not consider that there appear to be two different types of issues, which means a SPLIT of the CVE ID. The issues are disclosed in Bug 261 here: https://projects.duckcorp.org/issues/261 The first issue is that Bip will write to arbitrary sockets when run in daemon mode because stderr is closed: "when using SSL (client_side_ssl = true), bip will write an error to stderr when the SSL handshake fails. However, if it is running as a daemon, stderr will have been closed." We narrowed the scope of CVE-2013-4550 to this first issue. Note that while the bug was apparently filed and public in 2011, it was given a CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is out of sync with the disclosure date. We also didn't see a need to REJECT this CVE because of the scope change either, since it's in reasonably wide use. The second issue covers connections that are never closed: "Also, when an SSL handshake error occurs, a socket is never closed, but remains in CLOSE_WAIT state forever. This happens because a socket that is set to have an error will never be closed." A fix for the first issue would not necessarily guarantee a fix of the second issue, and the bugs are of different types. Therefore the second issue is SPLIT from the first. We assigned CVE-2011-5268 accordingly, since at the time of assignment, we knew that 2011 was the disclosure date. When we published these CVEs, we probably should have notified oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's descriptions to reflect the close relationships. I apologize for that. - Steve On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote: > Hi, > Seems there's a duplicated CVE ID for bip: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer > to the same bugreport. > > Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should > be rejected? > > Cheers, > Moritz >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ