Date: Fri, 17 Jan 2014 19:39:27 -0500 (EST) From: cve-assign@...re.org To: vdanen@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > With the news about the traffic amplification issue in ntpd, one of > our developers looked at chronyd At cve-assign@...re.org, we've received a number of reports that have protocol descriptions, and ask for CVE assignments for amplification attacks. We've declined making assignments for those. One of the criteria we're currently using is: - cases in which a vendor of a UDP protocol implementation announces that they made a security-relevant mistake by having configuration or code elements that allow amplification attacks, and publishes a fix for this mistake One of the other CVE Numbering Authorities was also receiving similar reports. We coordinated with them and learned that they were looking at CVE eligibility in much the same way. The "in which a vendor of a UDP protocol implementation" above was what we had for the CVE-2013-5211 ntpd issue (with some definition of "announces"). We don't know the ultimate outcome of how amplification attacks will interact with the scope of CVE, but we did want to point out that this CVE-2014-0021 assignment seemed inconsistent with what we've been doing. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS2cuHAAoJEKllVAevmvmsurYIALjzoZDswrD9TcHR/ObNIU9G 6qIsWM49HJ0VRnY88DJj1aO3vB2bnGiPNVK7Xe3RNkIBW6OPZ4cQyypv2ZijjhSC QLMlGgzgGAvJq4MQjOeq2RQinS3MUuqj4cHcoQ9Fy64avonXlfuJEsDu5WC3yEah M6el74ZmwPZupfs0hTvq0aGjvSqRd2alSFsSRUwUxHMS8PZLj4bP/l/NfHMPLC9V vdQFm90JhccAkn0uzPc87lOeVlqQCpX1KH8R587S2MneoommzKEBrVQI1xTlNjrR gLyz58pHC9kxPwkbztBr5hS5isSyKpsmrcvKhLRQlLi/51Kd9zTAucj9RdF6gLU= =S4od -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ