Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Feb 2014 12:14:26 +1100
From: Garth Mollett <gmollett@...hat.com>
To: oss-security@...ts.openwall.com
CC: coley@...re.org
Subject: Re: Possible CVE Requests: several issues fixed in
 Jenkins (Advisory 2014-02-14)

On 02/20/2014 09:49 AM, David Jorm wrote:
>>
>> Do some of these issue need a CVE assigned?
>>
>> Regards,
>> Salvatore
>>
> 
> It looks to me as though at least some of these issues definitely need CVE IDs assigned. I reported SECURITY-105, and it is my opinion that this flaw needs a separate CVE ID to CVE-2013-7285. The Jenkins patch blocks DynamicProxyConverter from the Jenkins wrapper class XStream2, without changing the XStream library at all. This implements a less-general solution than the XStream patch for CVE-2013-7285, and the patch applies to a completely separate codebase (i.e. Jenkins itself,not XStream). Therefore it is my understanding that this flaw as it affects Jenkins qualifies for a unique CVE ID. When reporting this flaw to upstream, the Jenkins engineers agreed that it qualified for a unique CVE ID, and I offered to assign a CVE ID from the Red Hat CNA. This offer was refused, but then the advisory was released without a unique CVE ID, which is puzzling indeed.
> 
> Could someone from MITRE please weigh in and assign CVE IDs as appropriate for these flaws?
> 

Hi,

Is there any movement on this? The original request for CVE's came to
oss-sec on the 17th.

Thanks.




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ