Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Feb 2014 12:14:26 +1100
From: Garth Mollett <>
Subject: Re: Possible CVE Requests: several issues fixed in
 Jenkins (Advisory 2014-02-14)

On 02/20/2014 09:49 AM, David Jorm wrote:
>> Do some of these issue need a CVE assigned?
>> Regards,
>> Salvatore
> It looks to me as though at least some of these issues definitely need CVE IDs assigned. I reported SECURITY-105, and it is my opinion that this flaw needs a separate CVE ID to CVE-2013-7285. The Jenkins patch blocks DynamicProxyConverter from the Jenkins wrapper class XStream2, without changing the XStream library at all. This implements a less-general solution than the XStream patch for CVE-2013-7285, and the patch applies to a completely separate codebase (i.e. Jenkins itself,not XStream). Therefore it is my understanding that this flaw as it affects Jenkins qualifies for a unique CVE ID. When reporting this flaw to upstream, the Jenkins engineers agreed that it qualified for a unique CVE ID, and I offered to assign a CVE ID from the Red Hat CNA. This offer was refused, but then the advisory was released without a unique CVE ID, which is puzzling indeed.
> Could someone from MITRE please weigh in and assign CVE IDs as appropriate for these flaws?


Is there any movement on this? The original request for CVE's came to
oss-sec on the 17th.


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ