Date: Fri, 17 Jan 2014 20:21:13 -0500 (EST) From: cve-assign@...re.org To: vdanen@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Is this not a same/similar case? There are many UDP protocols in which the reply traffic is larger than the request traffic. A vendor can handle this in several possible ways, including (for example) a statement that the protocol implementation details were intentional, and that adverse effects are a network-operations problem, not a software problem. CVE is about software mistakes. So, at least at the moment, we are looking for vendors who characterize the issue as a software mistake, and fix it. In the chronyd case, this seems likely, so we don't expect any long-term issue with including CVE-2014-0021 in CVE. There may well be other reasonable approaches. An example approach might be making CVE assignments for any protocol implementation that's similar to one that already has a CVE (e.g., similar to ntpd). We're not currently using that approach. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS2dYfAAoJEKllVAevmvmsCpcH/AlwpzADNsdZtfJsvLBontoq Btpl9yry86vVt9HKks3/C4C8l2agPkFKj466TxRFAnRtqgaG5zbxex4CRk09EEmB yMOlzRTWSYSC4UHH3nsVvNJsikuMR0N3vcdlVqoIfnfTOWyD9DwPgo/OSABm+dMa vcQmw6JHugTL4ZXju1fKnqbu44QePKc96LXlrcqE4z4AWbzyr3Fc6A2kRWb5g7qt 40ltpwG2vntUzXqSyIN2IvY1OA3wHy8OOh9Hh/a8LXqjqyasWvxSUHNvSF4H/Ezo a/Rmsq5+x+41Ai3GdYlsH6TSf2B7HMRYMgPKr0FQ/jn6k340NdCzi6WlJpPdPmc= =Qby5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ