Date: Fri, 21 Feb 2014 12:14:26 +1100 From: Garth Mollett <gmollett@...hat.com> To: oss-security@...ts.openwall.com CC: coley@...re.org Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) On 02/20/2014 09:49 AM, David Jorm wrote: >> >> Do some of these issue need a CVE assigned? >> >> Regards, >> Salvatore >> > > It looks to me as though at least some of these issues definitely need CVE IDs assigned. I reported SECURITY-105, and it is my opinion that this flaw needs a separate CVE ID to CVE-2013-7285. The Jenkins patch blocks DynamicProxyConverter from the Jenkins wrapper class XStream2, without changing the XStream library at all. This implements a less-general solution than the XStream patch for CVE-2013-7285, and the patch applies to a completely separate codebase (i.e. Jenkins itself,not XStream). Therefore it is my understanding that this flaw as it affects Jenkins qualifies for a unique CVE ID. When reporting this flaw to upstream, the Jenkins engineers agreed that it qualified for a unique CVE ID, and I offered to assign a CVE ID from the Red Hat CNA. This offer was refused, but then the advisory was released without a unique CVE ID, which is puzzling indeed. > > Could someone from MITRE please weigh in and assign CVE IDs as appropriate for these flaws? > Hi, Is there any movement on this? The original request for CVE's came to oss-sec on the 17th. Thanks. Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ